Edit tour

Windows Analysis Report
iy2.dat.exe

Overview

General Information

Sample name:	iy2.dat.exe
Analysis ID:	1585150
MD5:	9fef401f768b474e5059f0bbc36a2fbf
SHA1:	18d988fbf1e53ba854d784d3a3c6665bf7b71534
SHA256:	84e5e532e64c7d1e5ea2457249d651ccd4554cfb1badab3195a8a44458f3f23c
Tags:	exeuser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

iy2.dat.exe (PID: 4308 cmdline: "C:\Users\user\Desktop\iy2.dat.exe" MD5: 9FEF401F768B474E5059F0BBC36A2FBF)

WerFault.exe (PID: 616 cmdline: C:\Windows\system32\WerFault.exe -u -p 4308 -s 1684 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["176.113.115.170"], "Port": 4412, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
iy2.dat.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
iy2.dat.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x9041:$str01: $VB$Local_Port 0x9065:$str02: $VB$Local_Host 0x7c28:$str03: get_Jpeg 0x7fd9:$str04: get_ServicePack 0x9f0a:$str05: Select * from AntivirusProduct 0xa5ca:$str06: PCRestart 0xa5de:$str07: shutdown.exe /f /r /t 0 0xa690:$str08: StopReport 0xa666:$str09: StopDDos 0xa75c:$str10: sendPlugin 0xa7dc:$str11: OfflineKeylogger Not Enabled 0xa934:$str12: -ExecutionPolicy Bypass -File " 0xadc3:$str13: Content-length: 5235
iy2.dat.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xaff1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb106:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xacde:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xad54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xadf1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xaf06:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xaade:$cnc4: POST / HTTP/1.1
00000000.00000002.3084025669.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: iy2.dat.exe PID: 4308	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.iy2.dat.exe.ec0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.iy2.dat.exe.ec0000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x9041:$str01: $VB$Local_Port 0x9065:$str02: $VB$Local_Host 0x7c28:$str03: get_Jpeg 0x7fd9:$str04: get_ServicePack 0x9f0a:$str05: Select * from AntivirusProduct 0xa5ca:$str06: PCRestart 0xa5de:$str07: shutdown.exe /f /r /t 0 0xa690:$str08: StopReport 0xa666:$str09: StopDDos 0xa75c:$str10: sendPlugin 0xa7dc:$str11: OfflineKeylogger Not Enabled 0xa934:$str12: -ExecutionPolicy Bypass -File " 0xadc3:$str13: Content-length: 5235
0.0.iy2.dat.exe.ec0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf54:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xaff1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xb106:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xacde:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T07:19:10.444900+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:14.233427+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:25.572913+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:38.391727+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:39.511983+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:49.392297+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:01.312710+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:06.679448+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:08.500473+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:11.764978+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:11.937599+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:12.102120+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:21.909490+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:24.246263+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:27.481508+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:27.726194+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:28.068538+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:42.127243+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:43.940060+0100	2852870	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T07:19:14.244714+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:19:25.588418+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:19:49.398891+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:06.681550+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:11.766461+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:11.947430+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:12.103659+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:24.250319+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:27.483528+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:27.732020+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:28.084507+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:28.370113+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:28.375113+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP

ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T07:19:10.444900+0100	2858801	1	Malware Command and Control Activity Detected	176.113.115.170	4412	192.168.2.5	49704	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T07:20:43.638213+0100	2858799	1	Malware Command and Control Activity Detected	192.168.2.5	49704	176.113.115.170	4412	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iy2.dat.exe

Avira: detected

Found malware configuration

Source: iy2.dat.exe

Malware Configuration Extractor: Xworm {"C2 url": ["176.113.115.170"], "Port": 4412, "Aes key": "P0WER", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: iy2.dat.exe	Virustotal: Detection: 77%			Perma Link
Source: iy2.dat.exe	ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: iy2.dat.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: iy2.dat.exe	String decryptor: 176.113.115.170
Source: iy2.dat.exe	String decryptor: 4412
Source: iy2.dat.exe	String decryptor: P0WER
Source: iy2.dat.exe	String decryptor: <Xwormmm>
Source: iy2.dat.exe	String decryptor: XWorm
Source: iy2.dat.exe	String decryptor: USB.exe

Source: iy2.dat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: iy2.dat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .pdb> source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\iy2.dat.PDB source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbTK source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb# source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3083550316.00000000014A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C251000.00000004.00000020.00020000.00000000.sdmp, iy2.dat.exe, 00000000.00000002.3083550316.0000000001452000.00000004.00000020.00020000.00000000.sdmp, WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb` source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb 0 source: WERF174.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\ServerF9C-4437-8B11-F424491E3931}\InprocServer32ddiskVolume119045Multiprocessor FreeMicrosoft Windows 10 Pro125244Win32_ComputerSystemuser-PC20231003105718.000000+12020230924161349.500000+12020231004161639.990000+1200809Microsoft Corporation source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF174.tmp.dmp.6.dr
Source:	Binary string: C:\Users\user\Desktop\iy2.dat.PDB7 source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb' source: WERF174.tmp.dmp.6.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 176.113.115.170:4412 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2858801 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound : 176.113.115.170:4412 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2858800 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 176.113.115.170:4412
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.5:49704 -> 176.113.115.170:4412
Source: Network traffic	Suricata IDS: 2858799 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 176.113.115.170:4412

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 176.113.115.170

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 176.113.115.170:4412

Source: global traffic

TCP traffic: 192.168.2.5:61377 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.170

Source: iy2.dat.exe, 00000000.00000002.3084025669.0000000003331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: iy2.dat.exe, type: SAMPLE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: iy2.dat.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.iy2.dat.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.0.iy2.dat.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\iy2.dat.exe	Code function: 0_2_00007FF848DA6306	0_2_00007FF848DA6306
Source: C:\Users\user\Desktop\iy2.dat.exe	Code function: 0_2_00007FF848DA70B2	0_2_00007FF848DA70B2
Source: C:\Users\user\Desktop\iy2.dat.exe	Code function: 0_2_00007FF848DA9C44	0_2_00007FF848DA9C44

Source: C:\Users\user\Desktop\iy2.dat.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4308 -s 1684

Source: iy2.dat.exe, 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs iy2.dat.exe
Source: iy2.dat.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs iy2.dat.exe

Source: iy2.dat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: iy2.dat.exe, type: SAMPLE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: iy2.dat.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.iy2.dat.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.0.iy2.dat.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: iy2.dat.exe, g3vLTCbXUu.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iy2.dat.exe, gu9bOeQlhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iy2.dat.exe, gu9bOeQlhx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\iy2.dat.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\iy2.dat.exe	Mutant created: \Sessions\1\BaseNamedObjects\ukwmDtxIT3xNIMhL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4308

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a4b7ca1f-e919-42c0-b0cf-ad43d51b69a6

Jump to behavior

Source: iy2.dat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: iy2.dat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\iy2.dat.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iy2.dat.exe	Virustotal: Detection: 77%
Source: iy2.dat.exe	ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\iy2.dat.exe

File read: C:\Users\user\Desktop\iy2.dat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iy2.dat.exe "C:\Users\user\Desktop\iy2.dat.exe"
Source: C:\Users\user\Desktop\iy2.dat.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4308 -s 1684

Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: iy2.dat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iy2.dat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .pdb> source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbMZ source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Users\user\Desktop\iy2.dat.PDB source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbTK source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF174.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb# source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3083550316.00000000014A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C251000.00000004.00000020.00020000.00000000.sdmp, iy2.dat.exe, 00000000.00000002.3083550316.0000000001452000.00000004.00000020.00020000.00000000.sdmp, WERF174.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C220000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb` source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb 0 source: WERF174.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\ServerF9C-4437-8B11-F424491E3931}\InprocServer32ddiskVolume119045Multiprocessor FreeMicrosoft Windows 10 Pro125244Win32_ComputerSystemuser-PC20231003105718.000000+12020230924161349.500000+12020231004161639.990000+1200809Microsoft Corporation source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF174.tmp.dmp.6.dr
Source:	Binary string: C:\Users\user\Desktop\iy2.dat.PDB7 source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: iy2.dat.exe, 00000000.00000002.3085388050.000000001BCF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF174.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb' source: WERF174.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: iy2.dat.exe, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.dLJPDdcnEB9Ryo3voJBtwByyX3jjekjmR8inZ248xeorAqp7aT,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H._86oD7O9CdPNRJUhwMZezIFe4l8dPJlx5u8m8PlLWT4Wt6sQiJY,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.PA4Un7xVNvWhpahuqjh5Y3O425ZhHVE8kqZl,_1drXMZguCyjkS69w9843xRQWae29G0Rkg635mHuuLYoWVbvm6H.WFCAstKfN2gtu4FfocLdbZGGqqYvKz8fT7xXe6mh990ANevPjt,gu9bOeQlhx.lSNVNSUCuC()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: iy2.dat.exe, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{V2nmRLmSKF1CEazyoHYuo6m9emt17bq2u60rUAxnzDvQJcK4a9rBHo9H9fLDI1cmnLG6[2],gu9bOeQlhx._7pHqSkwgqs(Convert.FromBase64String(V2nmRLmSKF1CEazyoHYuo6m9emt17bq2u60rUAxnzDvQJcK4a9rBHo9H9fLDI1cmnLG6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: iy2.dat.exe, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs	.Net Code: iNEtFEzQwzL1gsauKFWGeQGfzsQSgjGcawEyzWnIgFvpytZaegyhRcGuB2j6S1vrFxUZ System.AppDomain.Load(byte[])
Source: iy2.dat.exe, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs	.Net Code: E5kKs9cj0uXdi6oiS8xSyZdpfTNQINOeGCuU3yun5uJ2InPZKjHJiG4ePpzOX6Eu2WJy System.AppDomain.Load(byte[])
Source: iy2.dat.exe, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs	.Net Code: E5kKs9cj0uXdi6oiS8xSyZdpfTNQINOeGCuU3yun5uJ2InPZKjHJiG4ePpzOX6Eu2WJy

Source: C:\Users\user\Desktop\iy2.dat.exe

Code function: 0_2_00007FF848DA00BD pushad ; iretd

0_2_00007FF848DA00C1

Source: iy2.dat.exe, CUJj8rhTUC.cs	High entropy of concatenated method names: 'B6q5G2SIT3', 'c0yaeoBjrR', 'hqd77vuGNU', 'KAYiml3MsKtSc', 'aiv8ZoOT4YBI8', '_46tL3teOEXUNN', 'WwEgkF8WBRcy4', 'uf2h91FEycj3T', 'Vw1iDoDKujbPw', 'mclGE0Q7t0qYP'
Source: iy2.dat.exe, aZ4hnq2aA0KBpgqPEF.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'mfNAitIckj4NZM6UvH1WtT0cue9liZa005dgrRM0kgmaaIxrJHD9ILQlGpqIFR1C5GmuLllOEDkazdBhh6VYu', 'NHutEdEkvOOERLuOEb6yRWTK2awrs6KebesmsBpgwYWUmGAwSJiGrRBBJZ1prqskP7hlrR0N6c6pwmywJnTCw', 'LOGfXtOFZW4Pm8XImq83GhOS2o3Yi74U3cP8h34tx1H4IU3tMYVzoTFutNiMsGUxMMYHYiGcTomBNmNaiwLVU', 'JguyEvhJ96xgcTi0zKq907HnYwvahHf1v3VIOnGGmI2lpBIr34ZT8aXP3B5jqIUldb8XD3xFHm4GqInQdxIYI'
Source: iy2.dat.exe, VN8UZyy4b6ESNDqqUGSm1D0bAFxMFecwJPTD.cs	High entropy of concatenated method names: 'RPuGXQ6eEPp6geOU0Iy1GedXs9zIFQfbQiqK', 'dSVoLC7GYwuGmoyaVZclYPKORUHHj2TjLpRx', 'xq7xlHw70jBHUJMXu0b63cowWU4Ak5ikAIf0', 'hgBtEJpsPGe2j4wka5wZmq3TR39i', 'YlnKy17j3mFutVXogXJv6TM1FOQM', 'WwxBrAJWPj9pbxi8xfwtPAvobkD7', 'lx2tjivEac0BPCldO9jc0aiU4eIJ', 'sNi3XLBswlyQCqHHMo347fz3LPBL', 'rU79mJTlAyFvUhEToiFuryRnbHsd', 'ce21UxqN1xMrMSQscrnLQ6jlYx0R'
Source: iy2.dat.exe, MvPAVnKqIH8ISu8gBJYY5gmCJsP0omLwRqEJtDvJXsXmZ0jFpjX6eble6AAlklEr1RPW.cs	High entropy of concatenated method names: '_88MEWWYcTrle5x9y1E3bbVOGiOhVYNIQ3HPrg8qL3Tt4jab8uIETF2yzNFMYqCpkq6oV', 'iNEtFEzQwzL1gsauKFWGeQGfzsQSgjGcawEyzWnIgFvpytZaegyhRcGuB2j6S1vrFxUZ', '_7uR9cusSyJEG8gI4fkoCkUrTHpTSpS29ZRX42sqWEWeL62HurIIVSdQNIVjwZGNcF6zI', 'z7Uu9Nwst38xH4Lb6iK6wscd1IvVTSDvqdBub3tkAd6kqZpG3NQc4nIupLyQVORTimKf', 'zDnCSJCxRduAbj3BVWXYmD8zW78orZqfPTNFH64ftnI0RiuCR1oK8y9iBJoMuoWa396W', 'sHWogUHlM5T3zyke8kOpBp0Kpsm1IUJJIYzPMZv4wS97epweNmefkbPA1zjJyTjMX8yu', 'XKXISg8cLhCpPEY3YssrbnrtvEkGkN4oRZj1N9uN1MsyKPtEFnDrKU6jebrlYra1NaWF', 'UBfcoXf9N6NSfgoXEIuWevbZ39xKvGThVPs0RNcxd7D70LRyWbSqTmnIBYXD87MRtShW', 'cqoNrWhmsgxXe090rjLWJqKQOHivj8cZcEYpREDUfj4fZmYtRsaEIAQNBbBTMmPiQED5', 'XITq9yUmYpS97z27lpSPUFacRf8UKfHW6RSBbSryUWljkM2WABqCYcMZjjl8Cz2trKES'
Source: iy2.dat.exe, wMziNr7YQaG4tCngR7hQC89Pal5rBGWte679.cs	High entropy of concatenated method names: 'K80s31ehnbTVEI4xL20Ml4v6hiDsMt2RT8Ke', 'Ic27ZYv8gPxLBu153FcudUwF9Ypa4lBkRvU3', 'oLDaVx8R7yqkdek4HxnPoMvlPLumWh42MsG4', 'UIoyb1EAVJ7DqYwwG4mEn86W2bIYrRKFtpjH', 'l3yJSMntP0aYhoUEQOIQiJ5MZMqnBBP8cH1h', 'YeIu5xqL9eFZ9yeDRUxZAVc5ol0vdbOF7MjQ', 'l0Vm0T55LV9uwyEUPA4YVhJ5zdJjC1FkyClX', 'a27dj8pdk7A2gTh6c8azwKq3GdPf4RBzEUU3', 'pabemwh3cC8ok4MqUKtUTAHOqH1eSpGMtCAu', 'rkgxmEW6ZGSC7RrGtgZhXDJjWerMKkrczxje'
Source: iy2.dat.exe, YyDTZrRoQx.cs	High entropy of concatenated method names: 'pH7JWkO8j8', 'y2ctnHNEemJ0b4dJSzr9951KJmUs', 'IH23sQMbMknL1tPv5C0CR180vRdv', '_7gd1KKxxKTOLCOQGeJjpw9WH2uIu', 'zB3h7kGtmNeaSPX4wxVktKFdmblc'
Source: iy2.dat.exe, g3vLTCbXUu.cs	High entropy of concatenated method names: 'Q8mwWLJjkp', 'DNXOHjXwwRN1Y0RZf8HGbp9XxdXj', 'yhm3mFjiu8qKagIG8tkVrfuICeQX', 'OZiOuYY75mwyk48M17of3NsL9IIt', 'Arr2zYwfIT23ekIUKysmLNPfG32B'
Source: iy2.dat.exe, gu9bOeQlhx.cs	High entropy of concatenated method names: 'IJ8IZmUQCc', '_9wFk9JCSot', 'GpXlnbAt9M', 'nT2yG43RnY', '_3rRzw2eaDt', 'KVNBLm4Pev', 'oxCLZhLXIe', 'FzoO6KSdPT', 'QrVMKdnxIk', 'qRtUVYT2W1'

Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\iy2.dat.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\iy2.dat.exe	Memory allocated: 1510000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Memory allocated: 1B330000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe	Window / User API: threadDelayed 9195			Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Window / User API: threadDelayed 644			Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe TID: 5536	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe TID: 5856	Thread sleep count: 9195 > 30	Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe TID: 5856	Thread sleep count: 644 > 30	Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW P
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: iy2.dat.exe, 00000000.00000002.3085505091.000000001C1B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\iy2.dat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\iy2.dat.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Queries volume information: C:\Users\user\Desktop\iy2.dat.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\iy2.dat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: iy2.dat.exe, 00000000.00000002.3083550316.00000000014CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\iy2.dat.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: iy2.dat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.iy2.dat.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3084025669.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iy2.dat.exe PID: 4308, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: iy2.dat.exe, type: SAMPLE
Source: Yara match	File source: 0.0.iy2.dat.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3084025669.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iy2.dat.exe PID: 4308, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	131 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSASS Memory	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iy2.dat.exe	78%	Virustotal		Browse
iy2.dat.exe	82%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
iy2.dat.exe	100%	Avira	HEUR/AGEN.1305769
iy2.dat.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
176.113.115.170	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
176.113.115.170	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iy2.dat.exe, 00000000.00000002.3084025669.0000000003331000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.113.115.170	unknown	Russian Federation		49505	SELECTELRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585150
Start date and time:	2025-01-07 07:18:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iy2.dat.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 53 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 172.202.163.200, 13.107.246.45, 20.190.159.75
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target iy2.dat.exe, PID 4308 because it is empty
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:19:01	API Interceptor	2015516x Sleep call for process: iy2.dat.exe modified
01:20:43	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.113.115.170	176.113.115_1.170.ps1	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	82.148.27.5
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	176.113.115_1.170.ps1	Get hash	malicious	XWorm	Browse	176.113.115.170
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	178.132.202.249
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	82.202.242.100
	2.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iy2.dat.exe_491e14736a29cf94730c26c81a3cd39147dec53_bb1030e9_57a592c2-a5c4-4e5e-af60-504eedf37e98\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.209845655146789
Encrypted:	false
SSDEEP:	192:nddzrw367ta/081iHRa+z8iyolHTF3WzuiFcgZ24lO8/7:TemtB81ixaA8irzUzuiFcgY4lO8/7
MD5:	B8C33DA49825D186B27E6EF8A2F806F1
SHA1:	A1D22409CC368B86CAB1F089FC65E87988E7E89F
SHA-256:	8A33063F5202B2B864C4355CF24709DF25C076F50ED7494EA6E86B93737011C0
SHA-512:	8B876CD180C708588695A4319274B4FB005341FBACD3EB5B5957499AEEDFD97918A7C25BB355707B0D3F5EED749237DDD1DA40D356452B26BF7E2B616A1E2883
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.0.4.4.2.8.5.9.8.5.2.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.0.4.4.2.9.1.9.2.2.8.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.a.5.9.2.c.2.-.a.5.c.4.-.4.e.5.e.-.a.f.6.0.-.5.0.4.e.e.d.f.3.7.e.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.f.5.7.f.2.5.-.3.c.1.4.-.4.b.8.8.-.8.3.4.1.-.a.6.0.9.b.1.2.a.a.0.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.i.y.2...d.a.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.4.-.0.0.0.1.-.0.0.1.4.-.4.1.7.2.-.5.e.0.9.c.c.6.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.8.a.9.0.5.2.9.5.f.6.5.f.1.5.4.c.8.8.e.8.4.5.e.0.c.7.3.2.2.8.d.0.0.0.0.0.0.0.0.!.0.0.0.0.1.8.d.9.8.8.f.b.f.1.e.5.3.b.a.8.5.4.d.7.8.4.d.3.a.3.c.6.6.6.5.b.f.7.b.7.1.5.3.4.!.i.y.2...d.a.t...e.x.e.....T.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF174.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Jan 7 06:20:28 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	541055
Entropy (8bit):	3.0590334324856023
Encrypted:	false
SSDEEP:	3072:zS6m2sEBaRl1CCqkWF3+vFCFYBuO4MXXgwjcSWP+3cbA3qLBeDPBLl:w99qV3QhPQw3WW3c03qLBeT5
MD5:	C5DFB39A6A016F05EAD902BD29812DB7
SHA1:	0D62628FC810D620B0A8D1E68C2B6356CE098F92
SHA-256:	2141E22F014F69F67EA60FF3E43A32476160DF320DE35C0F6CCA3F2DBBABB05D
SHA-512:	CA6003F5F0A0E541DAC047D609262414F5F569C68C770F6215C22B78D6BA69E32A570FF32FB4EA203CAB6A7CC0994C70F2B7F9FB877A99BD10FFBDB7DB03CCF3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........\|g............4...........H...T.......$....&......d....&......t8..............l.......8...........T............@..............$4...........6..............................................................................eJ.......6......Lw......................T...........R.\|g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2FC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8878
Entropy (8bit):	3.7027964844686156
Encrypted:	false
SSDEEP:	192:R6l7wVeJ7QPhu6YEIreQ9gmfZA80prN89bOJhDfXam:R6lXJcQ6YEUeQ9gmfKCOPDfb
MD5:	1CEB63CAF4C8D0D20EF9EE50EA98612C
SHA1:	92D7E870EF881953C5C0648962041DBC136E5BE4
SHA-256:	B665897877F353716E597573704644229DCB480E3C585CFEA26CC4C49B36B4AE
SHA-512:	F925488DFAC3576B65B6F950DBA9F8A53D50E620E38D98A7E28869B96EF23047A7800B389571CDD0FECE82320F145E99C8F620256418E6D0F88E506B342F5474
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4765
Entropy (8bit):	4.442069378144097
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPXJg771I9ZOWpW8VYuYm8M4JkE+ZFmbjyq8vDE+x9UouY0d:uIjfP5I7Sv7V+JRHWR9UouY0d
MD5:	914F97357DF3F1E11CCE7F55B6C60EC0
SHA1:	7984F702F00E8FA45D1FB8D6A08EDD2C46ED4904
SHA-256:	66BA28D3DC7DA3F9B92712334A2D557E2AF52F4B8417CECE18FB53FF4F387A56
SHA-512:	7C55854D66033CE6636A9DD0D22CF528C41E3AF71EB9DD017771D3BDD23332E119F9D849F79F7FE3DEA039ACD9053E798CB5350EB6A3C388184DE6BD3E31B2DE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="665123" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421679104453706
Encrypted:	false
SSDEEP:	6144:7Svfpi6ceLP/9skLmb0OTYWSPHaJG8nAgeMZMMhA2fX4WABlEnNK0uhiTw:mvloTYW+EZMM6DFyI03w
MD5:	1BD8F5E97E265AFDE120F9358EA01495
SHA1:	F03A40A651808FF13AEB5E9625932E526A35B86F
SHA-256:	6B3B9EAA7C44B434013860EE1869A9C416FEA54993B1858AF313F5FDB0138E49
SHA-512:	3BF11B8DCFF20FD49B18E0291EC3C412FBDF52E18209EB143922B3DD2836E4F9F8D96860E8D905DEF60B6350E802D1ADC5DE72A86F5BEB962BABD8684B8447A6
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...?.`..............................................................................................................................................................................................................................................................................................................................................`^..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.949310477914818
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	iy2.dat.exe
File size:	51'712 bytes
MD5:	9fef401f768b474e5059f0bbc36a2fbf
SHA1:	18d988fbf1e53ba854d784d3a3c6665bf7b71534
SHA256:	84e5e532e64c7d1e5ea2457249d651ccd4554cfb1badab3195a8a44458f3f23c
SHA512:	cb9a66e9befd07f31c220b4cf33db78bacea3f127f4c70b022d07773534c40748ce0b59e3aca9b3151d9f0b7c52a4bb0e46068d679014a37927237651174d6dc
SSDEEP:	1536:uHOanvBqsfhgnOX0YLkbDsvW7UK6OOmmv:uHjvOOkbDsvsUKpOmw
TLSH:	18337D2937B68229E1FF5FB018F23152E335B6276913E79F28D441D62F17A88C9412F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mg................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40deee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676D98C6 [Thu Dec 26 17:56:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xde94	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbef4	0xc000	d0dbe3146e2d9f3463c37b48bb998dd5	False	0.6047566731770834	data	6.0581236617258485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x4ce	0x600	8e419a62ee542690684c0878869e76ec	False	0.3756510416666667	data	3.7216503306685733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	ef90efd9869d3966ea854dcebcfefb5c	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xe2e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T07:19:10.444900+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:10.444900+0100	2858801	ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:14.013092+0100	2858800	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:19:14.233427+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:14.244714+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:19:25.572913+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:25.588418+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:19:38.391727+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:39.511983+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:49.392297+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:19:49.398891+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:01.312710+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:06.679448+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:06.681550+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:08.500473+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:11.764978+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:11.766461+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:11.937599+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:11.947430+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:12.102120+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:12.103659+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:21.909490+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:24.246263+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:24.250319+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:27.481508+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:27.483528+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:27.726194+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:27.732020+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:28.068538+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:28.084507+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:28.370113+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:28.375113+0100	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:42.127243+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP
2025-01-07T07:20:43.638213+0100	2858799	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49704	176.113.115.170	4412	TCP
2025-01-07T07:20:43.940060+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	176.113.115.170	4412	192.168.2.5	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 07:19:02.538810968 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:02.543788910 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:02.543872118 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:02.706574917 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:02.711393118 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:10.444900036 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:10.491672993 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:14.013092041 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:14.017983913 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:14.233427048 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:14.244714022 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:14.249553919 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:25.320708036 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:25.325634956 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:25.572912931 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:25.588418007 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:25.593209982 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:36.633061886 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:36.637963057 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:38.391726971 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:38.393760920 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:38.400790930 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:39.511982918 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:39.554348946 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:43.266155005 CET	61377	53	192.168.2.5	162.159.36.2
Jan 7, 2025 07:19:43.271002054 CET	53	61377	162.159.36.2	192.168.2.5
Jan 7, 2025 07:19:43.271099091 CET	61377	53	192.168.2.5	162.159.36.2
Jan 7, 2025 07:19:43.275965929 CET	53	61377	162.159.36.2	192.168.2.5
Jan 7, 2025 07:19:43.734675884 CET	61377	53	192.168.2.5	162.159.36.2
Jan 7, 2025 07:19:43.750107050 CET	53	61377	162.159.36.2	192.168.2.5
Jan 7, 2025 07:19:43.750159025 CET	61377	53	192.168.2.5	162.159.36.2
Jan 7, 2025 07:19:47.945591927 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:47.950356960 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:49.392297029 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:49.398890972 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:49.405406952 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:19:59.258220911 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:19:59.263561010 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:01.312710047 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:01.367172003 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:01.459089041 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:01.464874983 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:06.461393118 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:06.466259956 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:06.679447889 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:06.681550026 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:06.686383963 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:08.500473022 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:08.556369066 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:11.195425034 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:11.200290918 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:11.242324114 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:11.247231007 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:11.367336035 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:11.372328043 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:11.764977932 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:11.766460896 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:11.771334887 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:11.937598944 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:11.947429895 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:11.952259064 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:12.102119923 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:12.103658915 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:12.108510971 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:18.804995060 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:18.809746981 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:21.909490108 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:21.940459013 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:21.945434093 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:24.008482933 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:24.013449907 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:24.246263027 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:24.250319004 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:24.255160093 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:26.961239100 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:26.967461109 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:26.976747036 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:26.982660055 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.054925919 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.059698105 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.101931095 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.106710911 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.305145025 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.309967995 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.383160114 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.387981892 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.481508017 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.483527899 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.488353968 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.586386919 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.591212988 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.601851940 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.603908062 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.648399115 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.648437977 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.648511887 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.653295994 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.726193905 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:27.732019901 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:27.736857891 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:28.068537951 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:28.084506989 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:28.089375019 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:28.242996931 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:28.292510986 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:28.370112896 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:28.374963045 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:28.375113010 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:28.379872084 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:42.127243042 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:42.179828882 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:43.638212919 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:43.643928051 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:43.940059900 CET	4412	49704	176.113.115.170	192.168.2.5
Jan 7, 2025 07:20:43.989476919 CET	49704	4412	192.168.2.5	176.113.115.170
Jan 7, 2025 07:20:43.996339083 CET	49704	4412	192.168.2.5	176.113.115.170

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 07:19:43.265588045 CET	53	65019	162.159.36.2	192.168.2.5
Jan 7, 2025 07:19:43.749727964 CET	53	49484	1.1.1.1	192.168.2.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iy2.dat.exePID: 4308, Parent PID: 1028

General

Target ID:	0
Start time:	01:18:58
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\iy2.dat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iy2.dat.exe"
Imagebase:	0xec0000
File size:	51'712 bytes
MD5 hash:	9FEF401F768B474E5059F0BBC36A2FBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2035640365.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3084025669.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 616, Parent PID: 4308

General

Target ID:	6
Start time:	01:20:28
Start date:	07/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4308 -s 1684
Imagebase:	0x7ff651120000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: iy2.dat.exePID: 4308, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848DA9C44 Relevance: 2.2, Strings: 1, Instructions: 984COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848DAA6FF

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: def16342d11ece14160ca8224eea60d5d33b96fe84aa82e7b5db959a0416721f
Instruction ID: f5cff7b7e13bc4e9c419b58d98e71e3e67a08587321ff5634ea76ef377acd1c3
Opcode Fuzzy Hash: def16342d11ece14160ca8224eea60d5d33b96fe84aa82e7b5db959a0416721f
Instruction Fuzzy Hash: 10628B30E1EA0A9FEA94FB38845177962D7EF98394F648578D01EC32C6DE2CAC468745

Function 00007FF848DA6306 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4a200c9d28d8ee870f44b5ee9faeefe6771c58be13dbed898a50c2e3a43f38
Instruction ID: 47af0ce11feb1274126b434e6b29c1c777ebca6f9d7baaae28e1d96609119414
Opcode Fuzzy Hash: 9a4a200c9d28d8ee870f44b5ee9faeefe6771c58be13dbed898a50c2e3a43f38
Instruction Fuzzy Hash: 66F1BF3090DA8D8FEBA8EF28D8557E937E1FF54350F14426AE84DC7295CB74E8458B82

Function 00007FF848DA70B2 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5204cf26a8c7fab68aaf4cf7ad98821cf9ba7bb613a8047efd01505deb8c66
Instruction ID: 83ecef05ffcbdf56099f69d383b19d4d8da774ced014822a90e75cf9843c3c0f
Opcode Fuzzy Hash: 6f5204cf26a8c7fab68aaf4cf7ad98821cf9ba7bb613a8047efd01505deb8c66
Instruction Fuzzy Hash: 3EF1C13090DA8E8FEBA8EF28C8557E937D1FB54350F14826EE84DC7291DB78A9458781

Function 00007FF848DA85F0 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA867A
L_^, xrefs: 00007FF848DA8612
L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^
API String ID: 0-639022185
Opcode ID: 5b3558fd1ee27e6ea4b456705ee83d1b2fae010b2e09a85f3fb9b2e6f0520ebf
Instruction ID: 05688d1baa2b7e81660e4bfcebc4a711a09aec5ca50a9871c167e59588114bd5
Opcode Fuzzy Hash: 5b3558fd1ee27e6ea4b456705ee83d1b2fae010b2e09a85f3fb9b2e6f0520ebf
Instruction Fuzzy Hash: A861F5B2D0FBC64FF356A62858592F97BA1FF11394F1D00F6C499871D3EE19280A934A

Function 00007FF848DA8618 Relevance: 2.9, Strings: 2, Instructions: 374COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA867A
L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^$L_^
API String ID: 0-2199681630
Opcode ID: 73f5a018a0e97d230bba3b8507fba4f43ef773cdd7e58dce2f036572a601d6a8
Instruction ID: 4cf1e470463d118ffb4ba86074ad1292805158a77840e6b99d4fa28f30b60929
Opcode Fuzzy Hash: 73f5a018a0e97d230bba3b8507fba4f43ef773cdd7e58dce2f036572a601d6a8
Instruction Fuzzy Hash: 9251F772D0EBC64FF356A63858592F97BA1FF11394F1C00FAC499871D3EE19280A934A

Function 00007FF848DA8648 Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA867A
L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^$L_^
API String ID: 0-2199681630
Opcode ID: be1cc1abee485879e22cd55f079bde4a18c60d64a470fc34bc05de5d6b226b5c
Instruction ID: 9c85a0754086cd9c93357e18dafb1213d95552078b19658092e2f9db8d6d2c10
Opcode Fuzzy Hash: be1cc1abee485879e22cd55f079bde4a18c60d64a470fc34bc05de5d6b226b5c
Instruction Fuzzy Hash: 6251C262D0EBC64FF356A63858592F97FB1FF11390F1800FAC499871D7EE19280A935A

Function 00007FF848DA8678 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: fd48d7fe876baacb3cf41579785f8e2d4ae0c8bb51e8e748c7803509cc8ef6eb
Instruction ID: c710fdc999ef0cceecb66feb56497c2620c70b5a9bfe6da9cc501dccd5b74679
Opcode Fuzzy Hash: fd48d7fe876baacb3cf41579785f8e2d4ae0c8bb51e8e748c7803509cc8ef6eb
Instruction Fuzzy Hash: CF41F662D1EBC64FF346A73858592F97FB1FF11290F1800F6C498871D3EE19280A935A

Function 00007FF848DA8688 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: aac4b6125322db77301fec8ff1288966079c98a5e6d5b14d97803515833d06df
Instruction ID: 4c3a304a6ed6c5c99adce6bb60af84f1744b9577e343e1eaa467e4d9a1bd5985
Opcode Fuzzy Hash: aac4b6125322db77301fec8ff1288966079c98a5e6d5b14d97803515833d06df
Instruction Fuzzy Hash: DC41E162D1EBC64FF346A73858692F97FB1FF52290F1800F6C488871D7EE192809935A

Function 00007FF848DA86B8 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: 5c8d7c2bb105ead8493fb40f440d448f7703d47afaaf5514addb88ccda7fe356
Instruction ID: 715253a8b9873a75054f0bfdd5aec5668a72ef2f97ff5881139048e9c2b0087a
Opcode Fuzzy Hash: 5c8d7c2bb105ead8493fb40f440d448f7703d47afaaf5514addb88ccda7fe356
Instruction Fuzzy Hash: 1441EE62D0EBCA4FE346A63868692F97BB1FF42290F5801F7C488C71D7DE181809935A

Function 00007FF848DA86A8 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848DA86C9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: L_^
API String ID: 0-925995230
Opcode ID: b4f31261697daedae740fd05fab2635bca359818bd4731ae99f61181df69fcd1
Instruction ID: ff5b6061c27dabef0306bdbbbe2eb938c811e97d6400ba978ea91f27aa5e6643
Opcode Fuzzy Hash: b4f31261697daedae740fd05fab2635bca359818bd4731ae99f61181df69fcd1
Instruction Fuzzy Hash: A941EE62D1FBCA4FE346A63858692F97BB1FF12290F5800F6C488C71D7EE191809935A

Function 00007FF848DA8F0D Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848DA90A9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 0d3d6229d17ff1ede9613c6ee7e20198a69469fa2056507ece2fb1cf23f3c891
Instruction ID: 2e0b3f03125f8b2895010f3ba432018d316e44764381cb30011fc6854e89854a
Opcode Fuzzy Hash: 0d3d6229d17ff1ede9613c6ee7e20198a69469fa2056507ece2fb1cf23f3c891
Instruction Fuzzy Hash: 01712531E1DA495FEB95FB6898597B9B7E1EF88350F14017AD00DC32D2CE28A8468745

Function 00007FF848DA8F60 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848DA90A9

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 41626edd1735f10bc73da7e40bd47141190ef477695e66139d92ad248d61ee86
Instruction ID: 338fb3e467ec54603272be415d88018431135321b3d365aea773f77c82d41e54
Opcode Fuzzy Hash: 41626edd1735f10bc73da7e40bd47141190ef477695e66139d92ad248d61ee86
Instruction Fuzzy Hash: 4A51A230E1DA089FDB98FB68C499BB9B7E1EF88750F140179D01ED3296CF28AC458744

Function 00007FF848DA7E61 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF848DA7ED3

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 705a7f14ea673e62e9c02b7f12af3c21e80a198dc5741b4bb8b2c2f372cf636a
Instruction ID: e09ebf6c7dcf6d7b20fb155ea81027177388f75561903442b5052ad4db6ae1bd
Opcode Fuzzy Hash: 705a7f14ea673e62e9c02b7f12af3c21e80a198dc5741b4bb8b2c2f372cf636a
Instruction Fuzzy Hash: 73210632C0D39A4FEB01ABB488053F9BBE0EF45354F1500BBD489D31D2EB2C694987A6

Function 00007FF848DA86F8 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4dd37abe80b05dacdff777b31cae509bb3d5dc4d4ac97557a4c537d4e1f205
Instruction ID: 83c51589a8df40acc1e679f88cb5bc3f3ce0f11d551dac2435eb8a8ce7e7d0de
Opcode Fuzzy Hash: dd4dd37abe80b05dacdff777b31cae509bb3d5dc4d4ac97557a4c537d4e1f205
Instruction Fuzzy Hash: 94310262D1EB8A4FE346B77898252F97BB2FF42290F5400B6C049D71D7DE1C1809935A

Function 00007FF848DA11B0 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31aada8bc735c62df451760d832083f80ec3fa4603ccd3fc08904ab9606d3a82
Instruction ID: 5a3da6e0df2ed91e585c60683f4e7c44ddc6a0ddc387bf079af75982c88c7eef
Opcode Fuzzy Hash: 31aada8bc735c62df451760d832083f80ec3fa4603ccd3fc08904ab9606d3a82
Instruction Fuzzy Hash: AED11530E1DA199FEB99FB2880947B477E2FB98394F604179D01EC72DACF38A8458745

Function 00007FF848DA21A0 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00605a252c53b2126b295a5a88f3991d49eac744b5c908a171f9ed86e94a606
Instruction ID: 85da31b069fb7fca3c4063f07ef4985d0b1185e1ee39877291cce5868a905818
Opcode Fuzzy Hash: c00605a252c53b2126b295a5a88f3991d49eac744b5c908a171f9ed86e94a606
Instruction Fuzzy Hash: 80C14921F1EA894FE758AB3854593B9B7E2FF99790F54017AD04EC32C7DE2858068386

Function 00007FF848DA6CC6 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fc7a714da5a10589a78e08c5e74a5f44cc67244972a09e54cac0452997c73f
Instruction ID: 18440c2a13f42abd49fce758028150205a299c92ff450e22763c7425310f4639
Opcode Fuzzy Hash: 24fc7a714da5a10589a78e08c5e74a5f44cc67244972a09e54cac0452997c73f
Instruction Fuzzy Hash: 6FB1023050DA4D8FEB68EF28D8557F93BD1EF55350F10826AE84DC7292CB3499448B86

Function 00007FF848DA86C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f92789e4b24cf67ad30c0e5c649d6f01cad36b22a07b6f830b04f636f1e094b
Instruction ID: eaaab875b9fe3ee011b1447c8dc67d79d6b1688dbd43b83c0bc7ce80e4df8e9a
Opcode Fuzzy Hash: 6f92789e4b24cf67ad30c0e5c649d6f01cad36b22a07b6f830b04f636f1e094b
Instruction Fuzzy Hash: 1D31EE62D1EB8A4FE346A73898692F97BB1FF42290F5801F7C088C71D7DE191809935A

Function 00007FF848DA86D8 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79ef18339ca57f9176800ab781ab1455e4882899a97cb227795ca3767256c1b
Instruction ID: a70b1acf7e10030ded8c320a9f5cd8e3493fcb9025a77490d09835be3b8d8827
Opcode Fuzzy Hash: c79ef18339ca57f9176800ab781ab1455e4882899a97cb227795ca3767256c1b
Instruction Fuzzy Hash: 83311462D1EB8A4FE346A73898252F97BB1FF42290F5401F7C088C71D7DE1C1808935A

Function 00007FF848DA86E8 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c3adea7c80d3682d28a6517486f0b1e0e11705a917146f8171e759b53d4bc8
Instruction ID: b40978c12261b7a5b58e1f04eb6c3a5890810e79c92954dee693d76184fd76ea
Opcode Fuzzy Hash: 30c3adea7c80d3682d28a6517486f0b1e0e11705a917146f8171e759b53d4bc8
Instruction Fuzzy Hash: 79310462D1EB8A8FE746A73898252F97BB2FF41290F5400F6C088D71D7DE1C5809935A

Function 00007FF848DA89C9 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252c2c50c8a3134c61e4e9f3d40f0d9ee6882249ad9e31eccff0e95ef8de100a
Instruction ID: 967130447a0106abd3ffc422a81f476fa75909cc2b7595c5ff0bbdb737ec5a96
Opcode Fuzzy Hash: 252c2c50c8a3134c61e4e9f3d40f0d9ee6882249ad9e31eccff0e95ef8de100a
Instruction Fuzzy Hash: 02910471E0EA4A5FE754F73888593A4B7E1EF45390F5442B6D80DC31D6DF2CA84A8385

Function 00007FF848DA26A0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4508a1ff5fb7e27f7a0d1b6f49e9c91493dc52e499605473d5d82081b44b14
Instruction ID: 8c44ba8355fff4f29ae02febe7c419236f4e310bbc7bee65d214754d26f0d4c6
Opcode Fuzzy Hash: af4508a1ff5fb7e27f7a0d1b6f49e9c91493dc52e499605473d5d82081b44b14
Instruction Fuzzy Hash: 3781023072A905DBE644BB7D94567F8B3D2FF98354F544276E00CC32CBCE28A94587A9

Function 00007FF848DA7F4D Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec71c171701e9d3d1e9c4959c3a2224525619e9790a04385f5074780aecd5084
Instruction ID: f3655b86b13571dc351e6b9148795d56d6c22345ae6b2a5536858a4b2850e6f1
Opcode Fuzzy Hash: ec71c171701e9d3d1e9c4959c3a2224525619e9790a04385f5074780aecd5084
Instruction Fuzzy Hash: 44518130909A0C8FDB58EB68D8457EDBBF1FF59310F20426AD44DD3296CB34A9468B81

Function 00007FF848DA0925 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 073e4be7a04e62434a2f5f45e3c9d09cc3f453b20da26aa9fffe75a64123fd1d
Instruction ID: 3a14337a600e2b09b4225b7b1e2d23a84e3ea9500a79b38928a02eb0f31f6363
Opcode Fuzzy Hash: 073e4be7a04e62434a2f5f45e3c9d09cc3f453b20da26aa9fffe75a64123fd1d
Instruction Fuzzy Hash: 5251D421B1AA4E9FE798B77884692BD7792FF88294F8445B9D00EC32C7DE2D5C058346

Function 00007FF848DA8C81 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1db9c2a8d7d3ab853caacddd1a071534d6d01d34920556f3e738590de71265
Instruction ID: 8e5df47e9208f7b397c470b563a960d6658e548808a7be096bdd31ab642c931d
Opcode Fuzzy Hash: af1db9c2a8d7d3ab853caacddd1a071534d6d01d34920556f3e738590de71265
Instruction Fuzzy Hash: 3851C430A1EA199FEB88FB28D8557B8B7F1FF89344F1441B9E40DD3292CF28A8458744

Function 00007FF848DA1B48 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719c08deb307a6202fda0f73d6d73c9a44e48eb628975095cd95b267de06fd5f
Instruction ID: 83b4c4554de0881f1e3c341bded4dbc0a4b720be0dac1722302203ee9849e1e3
Opcode Fuzzy Hash: 719c08deb307a6202fda0f73d6d73c9a44e48eb628975095cd95b267de06fd5f
Instruction Fuzzy Hash: 3A61F530D0E7869FEB4AE77494113A9BBE1EF4A390F2802B9C05AC71D3DF686846C755

Function 00007FF848DA3BFC Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85396900998879d7e7ba32a7025cd944f73adaff72258f72a91e721e46cd3804
Instruction ID: 5cb6f50d7890a1777e9a1ce01a0ec88146b36cdb11e14e873817a2d96397304b
Opcode Fuzzy Hash: 85396900998879d7e7ba32a7025cd944f73adaff72258f72a91e721e46cd3804
Instruction Fuzzy Hash: FA517231D08B5C8FDB58EB58D845BE9BBF1FB59350F1082AAD04DD3252CF34A9858B81

Function 00007FF848DA1395 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591abe6cc7c06183035193d89ad9d9acbd0d80dc16b05efaef6bfe9288ef3276
Instruction ID: 7e66bb9a8958cc3e100a6df509a7a8276f2783938fee54477fa9db6a6fc26be6
Opcode Fuzzy Hash: 591abe6cc7c06183035193d89ad9d9acbd0d80dc16b05efaef6bfe9288ef3276
Instruction Fuzzy Hash: 89515853D0FAC58FF605B63C38152B96BD2EF56BA0F1800B7C049CB5D7D9489D49838A

Function 00007FF848DA94FA Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01238d03961eff36362c3f8bc91f65df6d832a99bd12578d38943a841f1f5f90
Instruction ID: f847d0c7069c9f0fef16b6a2446ee768802470b424980b1343eac98e524aa06c
Opcode Fuzzy Hash: 01238d03961eff36362c3f8bc91f65df6d832a99bd12578d38943a841f1f5f90
Instruction Fuzzy Hash: A951333090D6499FE749EBA8C8467B87BE0FF95360F14417ED00DC7292DB39A806CB90

Function 00007FF848DA189D Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55450ef8af11c5cf0783fd3ce1f64ae75cc4abac071c1826e840783764c6574
Instruction ID: 70ff04cef9967233c06f2d4f0cf7956952e3dd5d82d57feef088a5f33e30fb61
Opcode Fuzzy Hash: a55450ef8af11c5cf0783fd3ce1f64ae75cc4abac071c1826e840783764c6574
Instruction Fuzzy Hash: 60519D3090DA5C8FEB98EF28D459BA977E0FF59301F10416ED00EC3292CB39A845CB40

Function 00007FF848DA0B5E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49ba1c18a5b88b0c9b79352eb95ae510ddf98fed13dacb499a71b2a7043371c
Instruction ID: 8c81e0f217bf8bba2f164eed0ded871d7d16323c668b4637a40ca528ac04e38b
Opcode Fuzzy Hash: a49ba1c18a5b88b0c9b79352eb95ae510ddf98fed13dacb499a71b2a7043371c
Instruction Fuzzy Hash: 57412721B0EA890FE789A73C5829375BBD2EF8A754F0901FBE04DC7297DE185C468341

Function 00007FF848DA82B1 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fb55030965e3732cd0803f47516142a2d27790dfb8fc9b5a36ee1331a7a54f
Instruction ID: 5540cc08c1c0076e2ae7c4f20b55e4e19d7387ba14bf7c93c6017ed7f792fd35
Opcode Fuzzy Hash: f2fb55030965e3732cd0803f47516142a2d27790dfb8fc9b5a36ee1331a7a54f
Instruction Fuzzy Hash: 4941E271A0EA094FEB84FB7888596BD7BF2FF99341F1400BAD40DD3292DF2898458755

Function 00007FF848DA0528 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aef4d659990d5d3e6d0eee63b40f72ad47121e60a2593456c6e3354ba2cbccc
Instruction ID: 0ca75ed8a7337f89455133e82520e54af9b60d4bebbe35ef993e58e4d7256650
Opcode Fuzzy Hash: 7aef4d659990d5d3e6d0eee63b40f72ad47121e60a2593456c6e3354ba2cbccc
Instruction Fuzzy Hash: B431E221B1E94D4FE688FA2C946A379A6C2EB9C755F0401BEE00EC32D7EE689C458345

Function 00007FF848DA0E11 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb99fea53170a99aa1c81a17c2740a373db73f6f081042599d2ba314e2e389e
Instruction ID: f822ae6bef7ed061c3223e2b50260bc1080d8c46145b056c47ee8d5d632d1a87
Opcode Fuzzy Hash: acb99fea53170a99aa1c81a17c2740a373db73f6f081042599d2ba314e2e389e
Instruction Fuzzy Hash: 4E31E421F1EA099FE784B7AC581A3F977D2FB98791F140276E00DC3297DE189D458352

Function 00007FF848DA0CC1 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a324d095366034cfa63a46adf116cd03cc2ad07824f6d328fbbb004c8f50a15
Instruction ID: 2ae9724599bdafbb1b4b24f7a4bcf291fdefaa26e73e969b9ba998669c0f47a5
Opcode Fuzzy Hash: 2a324d095366034cfa63a46adf116cd03cc2ad07824f6d328fbbb004c8f50a15
Instruction Fuzzy Hash: 0241AF34E1EA4EDFEB44FB6884553B97BA2FF99341F604179D009D32C6CE38A8048755

Function 00007FF848DA0E30 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c744d74271cfe965a009a766fe083951a2ae9edfc53ff6c030b4d27f01ab94
Instruction ID: 0f5078d78b171e3be560f0b0747aa1f08988bfe93ab7895838066f60318ab1c4
Opcode Fuzzy Hash: 97c744d74271cfe965a009a766fe083951a2ae9edfc53ff6c030b4d27f01ab94
Instruction Fuzzy Hash: 0B31C421F1AD099FE784B66C580E3FD76D2FB98791F140276E00DC3286DE189C454395

Function 00007FF848DAB095 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d903c173474dbbdc05c92011bc6f77e5b3e7aeb5897c9db32efd66ed4eb5771
Instruction ID: b3e1b0ff2a489e2627c43fcfea206849d141e1b8f3a0e7bbfc2d29967c3edb98
Opcode Fuzzy Hash: 5d903c173474dbbdc05c92011bc6f77e5b3e7aeb5897c9db32efd66ed4eb5771
Instruction Fuzzy Hash: 90319E3190DB488FDB15DBA8D886AE9BBF0EF56320F0482AFD049C3552C734A409CB51

Function 00007FF848DA8179 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b24b6b614ec864709843554ac0e90eda85e37b1f1b95b257dc675862604aea
Instruction ID: 471413c91d26bcf588fc52cf4dcc2a4f39615e49a1757d0bd6d3c094b649c6ab
Opcode Fuzzy Hash: a0b24b6b614ec864709843554ac0e90eda85e37b1f1b95b257dc675862604aea
Instruction Fuzzy Hash: BC31073091DA898FEB46FB3C849566977E1FF56365F1441B6D008C3293CB2CA845CB45

Function 00007FF848DA17E5 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe7ae33cfaefa56ecd8def9bed0cc2f7a2f9b9c3ff927381cd0a61b487f40f4
Instruction ID: 73574878da0ca218baf01ca61b639bdbe511a19d1a86c6cfe2cc74afa60f4b6b
Opcode Fuzzy Hash: 1fe7ae33cfaefa56ecd8def9bed0cc2f7a2f9b9c3ff927381cd0a61b487f40f4
Instruction Fuzzy Hash: EC31F521E0E646AFFB54B73994523B92692EF987E0F644075D00EC71C7DF2CA8498399

Function 00007FF848DA7810 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377f21619b948d69ee8b243df13ebb11529e88391bbd6b223d59345d92c8c287
Instruction ID: b7f21353a3a0b6e8c71f42b535b325b46d7b44adf9b10564fbd885a4dc77561d
Opcode Fuzzy Hash: 377f21619b948d69ee8b243df13ebb11529e88391bbd6b223d59345d92c8c287
Instruction Fuzzy Hash: 3D21D332E0DA5D4FEB55FB7894462A877E1EB85370F140277E04DC3282DB28A85987CA

Function 00007FF848DAAFB9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ac4a77519752a31ad60b8e987ca91fe39af18b91fd3fe41c08a9f345710e03
Instruction ID: b597491b22b57fc85531da86a941180a60ed5bdd10edc03e5d8031a30d440461
Opcode Fuzzy Hash: d5ac4a77519752a31ad60b8e987ca91fe39af18b91fd3fe41c08a9f345710e03
Instruction Fuzzy Hash: 52212930D4E78A4FE745AB788851BF93BD1EF8A250F1841B6E099C3193CE2C984B8355

Function 00007FF848DAAEA1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b0e72adb0bea912d165a8fb1d61be230753b40b91c0a00aad1c969532c3bee
Instruction ID: f59d97c3b05b2b6ceb7c12a3f0606b913bc6d2e636adc4688fdd2a89720a4627
Opcode Fuzzy Hash: 64b0e72adb0bea912d165a8fb1d61be230753b40b91c0a00aad1c969532c3bee
Instruction Fuzzy Hash: C721C610A1EA559FE745B7AC54163F877D2FB88750F54427AE00DC31C7CE2C69498396

Function 00007FF848DA1694 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe0804eb15460e19aa301316d6fe8f1fc530cdcda40c04875ad6551fb568b2c
Instruction ID: dea35e7acac949087f656a0543519f1ec5d5779d0a39a109fe04e94b3c819c96
Opcode Fuzzy Hash: bfe0804eb15460e19aa301316d6fe8f1fc530cdcda40c04875ad6551fb568b2c
Instruction Fuzzy Hash: DD11C271D0968A8FEB59FB2844592B93BA5EB5A281F14417BC04AD76E2CF3914458708

Function 00007FF848DA16D1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d59b545281b03571db91937c6d232fb2563c4af9c5c068289c5c99228f2e5d2e
Instruction ID: a14947c74f81f7db7a3b5aa6c08a9007f239f3643de93704619edbb88b2d18c5
Opcode Fuzzy Hash: d59b545281b03571db91937c6d232fb2563c4af9c5c068289c5c99228f2e5d2e
Instruction Fuzzy Hash: 5211C070D0D68DCFEB5DEB2884692B93FE0EBA9241F5440BFC04EE76E2DA7904458709

Function 00007FF848DA7DA1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1473da05c0e314f545af139f404c7bcfda287b19d8fb01ae1ffbdff61f4362
Instruction ID: 7c9264984453d90ecda361d73459b3fd11a9c541b7acab041f93d0fbb2cea02a
Opcode Fuzzy Hash: 2f1473da05c0e314f545af139f404c7bcfda287b19d8fb01ae1ffbdff61f4362
Instruction Fuzzy Hash: 3501D232D0AA9D4FDB41ABA8885A2FD7BF1FF55351F4001B7D008D7196DF2899448791

Function 00007FF848DA14D3 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ffafceb6e8f795f6db8087adc6192b96ac98667eeb3f2110f42b7384654bd8
Instruction ID: 8f4b692c5468d79e206094555d68f306d8c5b7a046e3f3cbf54f0627e5c7c66a
Opcode Fuzzy Hash: 75ffafceb6e8f795f6db8087adc6192b96ac98667eeb3f2110f42b7384654bd8
Instruction Fuzzy Hash: 3D012811D0FBE58FE752B2382C651B83FA1DF96680F0805B7E489DB1E7DD189888435A

Function 00007FF848DA9B4D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6164fa504315eaaa1af0ed8e547ac3292b76e29d273af461b98df51c1bbf8e44
Instruction ID: 947c92c7303982ef2be199b67c67de11e3bacdb580ea33d20fdeabd11f12fc49
Opcode Fuzzy Hash: 6164fa504315eaaa1af0ed8e547ac3292b76e29d273af461b98df51c1bbf8e44
Instruction Fuzzy Hash: FD01F16585F7C56FE70367B808A15A67F60AE03264F1804FBE0E98B097CA08040AC386

Function 00007FF848DA8A5D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97407e40e1d995abe5cdc2e13ab085c2c1f030641c838749a610cc40f1e7147d
Instruction ID: 1714671ed7cf0209d9a22fc3ba5d94cd0a78a2b6643315ab9fe42cee039db2b4
Opcode Fuzzy Hash: 97407e40e1d995abe5cdc2e13ab085c2c1f030641c838749a610cc40f1e7147d
Instruction Fuzzy Hash: BD01D630F1EA0B1EE748FB3858963B47290FF04795F500679D80AC30C7DF19B44A9295

Function 00007FF848DA176D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0419dcf513b0fc45b85179d03488bf31a55b1509b62428f50495629deee1fcd
Instruction ID: 6a5e7b280cb5450be98d006534c586b51658c386fa0deed7784802a86b51138f
Opcode Fuzzy Hash: b0419dcf513b0fc45b85179d03488bf31a55b1509b62428f50495629deee1fcd
Instruction Fuzzy Hash: F3F02810E1F6468FFB54733864663782992EF98380F6410F9D00EC71C7DF5C68498319

Function 00007FF848DA1848 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b132f835d105ff8722430292cb51bbe146f034e90bf2d3934dbf5b2ee2128de
Instruction ID: 2a33a5f1ec27591515f63a29ceb2f167b560a5040c67c5957b8ccdd300b5c6bc
Opcode Fuzzy Hash: 6b132f835d105ff8722430292cb51bbe146f034e90bf2d3934dbf5b2ee2128de
Instruction Fuzzy Hash: 4DF08131D0E6069FE751F735944177477A2AF993B0F604635D01EC71C2DF38A8458688

Function 00007FF848DA9BA5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe20c02b70ab949f45febd76f5081cbe75a64c963bcf1f0bf8a22acfbc4a1603
Instruction ID: 9d1c5e168d4866a0d1c93a062541a429abf766b22606208d3d19688d2e94ae39
Opcode Fuzzy Hash: fe20c02b70ab949f45febd76f5081cbe75a64c963bcf1f0bf8a22acfbc4a1603
Instruction Fuzzy Hash: CCE0DF72C4E7C95EDB132B6818111E97F30EF02200F4800EBE0AC87083E65941288392

Function 00007FF848DA156B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8be7e7ec73f2ea9d4c3c372baa7b69f73edbdb31bb36d3e6ea21e544c332a04
Instruction ID: 2c26d40a8cabc504ccf9428bbf2eb3bbf2f80a4f6b01dd5ce989e6eeff713b4f
Opcode Fuzzy Hash: b8be7e7ec73f2ea9d4c3c372baa7b69f73edbdb31bb36d3e6ea21e544c332a04
Instruction Fuzzy Hash: C2D0A735C5D78D8EEF15BB6824111E97B60FF54240F14055EF81E43141DB61521842C2

Function 00007FF848DA268F Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3086166258.00007FF848DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848da0000_iy2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a704e75732eec63662349c4d87448248bea5e67c25863166068cdbd7b3f180
Instruction ID: 7f1a9555ec43b836475f466a7f2f89ce22c2bc976bc69eb5429bb620bd93250a
Opcode Fuzzy Hash: 04a704e75732eec63662349c4d87448248bea5e67c25863166068cdbd7b3f180
Instruction Fuzzy Hash: ABA0222B3003A802CB32AE3EECC82C0BF80EC832323200BFFC0C0880088000000AC322

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iy2.dat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iy2.dat.exe_491e14736a29cf94730c26c81a3cd39147dec53_bb1030e9_57a592c2-a5c4-4e5e-af60-504eedf37e98\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF174.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2FC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
iy2.dat.exe