Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lrw6UNGsUC.exe

Overview

General Information

Sample name:lrw6UNGsUC.exe
renamed because original name is a hash value
Original sample name:0e2ab563262e27e9095c4c1e055d25974c7f8d767de7d97d8943306268a54d33.exe
Analysis ID:1588989
MD5:eb23d50af27df1288faf92898cccc3d3
SHA1:f82e28701d256af04e7728c19dd5329dd23760f2
SHA256:0e2ab563262e27e9095c4c1e055d25974c7f8d767de7d97d8943306268a54d33
Tags:AsyncRATexeuser-adrian__luca
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lrw6UNGsUC.exe (PID: 320 cmdline: "C:\Users\user\Desktop\lrw6UNGsUC.exe" MD5: EB23D50AF27DF1288FAF92898CCCC3D3)
    • lrw6UNGsUC.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\lrw6UNGsUC.exe" MD5: EB23D50AF27DF1288FAF92898CCCC3D3)
    • lrw6UNGsUC.exe (PID: 616 cmdline: "C:\Users\user\Desktop\lrw6UNGsUC.exe" MD5: EB23D50AF27DF1288FAF92898CCCC3D3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/UjEMadMV"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6b65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6c02:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6d17:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x69d7:$cnc4: POST / HTTP/1.1
    00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd431:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x15911:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1f745:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xd4ce:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x159ae:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1f7e2:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xd5e3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x15ac3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1f8f7:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xd2a3:$cnc4: POST / HTTP/1.1
      • 0x15783:$cnc4: POST / HTTP/1.1
      • 0x1f5b7:$cnc4: POST / HTTP/1.1
      Process Memory Space: lrw6UNGsUC.exe PID: 320JoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 2 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.lrw6UNGsUC.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          4.2.lrw6UNGsUC.exe.400000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x59d1:$str01: $VB$Local_Port
          • 0x59c2:$str02: $VB$Local_Host
          • 0x5c59:$str03: get_Jpeg
          • 0x568e:$str04: get_ServicePack
          • 0x6611:$str05: Select * from AntivirusProduct
          • 0x680f:$str06: PCRestart
          • 0x6823:$str07: shutdown.exe /f /r /t 0
          • 0x68d5:$str08: StopReport
          • 0x68ab:$str09: StopDDos
          • 0x69ad:$str10: sendPlugin
          • 0x6a2d:$str11: OfflineKeylogger Not Enabled
          • 0x6b93:$str12: -ExecutionPolicy Bypass -File "
          • 0x6cbc:$str13: Content-length: 5235
          4.2.lrw6UNGsUC.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6d65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6e02:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6f17:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6bd7:$cnc4: POST / HTTP/1.1
          0.2.lrw6UNGsUC.exe.31996cc.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.lrw6UNGsUC.exe.31996cc.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x3bd1:$str01: $VB$Local_Port
            • 0x3bc2:$str02: $VB$Local_Host
            • 0x3e59:$str03: get_Jpeg
            • 0x388e:$str04: get_ServicePack
            • 0x4811:$str05: Select * from AntivirusProduct
            • 0x4a0f:$str06: PCRestart
            • 0x4a23:$str07: shutdown.exe /f /r /t 0
            • 0x4ad5:$str08: StopReport
            • 0x4aab:$str09: StopDDos
            • 0x4bad:$str10: sendPlugin
            • 0x4c2d:$str11: OfflineKeylogger Not Enabled
            • 0x4d93:$str12: -ExecutionPolicy Bypass -File "
            • 0x4ebc:$str13: Content-length: 5235
            Click to see the 10 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T08:10:19.637725+010028531931Malware Command and Control Activity Detected192.168.2.54998994.154.37.1299071TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: lrw6UNGsUC.exeAvira: detected
            Found malware configuration
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/UjEMadMV"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
            Multi AV Scanner detection for submitted file
            Source: lrw6UNGsUC.exeVirustotal: Detection: 73%Perma Link
            Source: lrw6UNGsUC.exeReversingLabs: Detection: 75%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: lrw6UNGsUC.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpString decryptor: https://pastebin.com/raw/UjEMadMV
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.2
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: lrw6UNGsUC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49707 version: TLS 1.2
            Source: lrw6UNGsUC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Xhur.pdbSHA256# source: lrw6UNGsUC.exe
            Source: Binary string: Xhur.pdb source: lrw6UNGsUC.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49709 -> 94.154.37.129:9071
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49989 -> 94.154.37.129:9071
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://pastebin.com/raw/UjEMadMV
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Source: global trafficTCP traffic: 192.168.2.5:49709 -> 94.154.37.129:9071
            Source: global trafficHTTP traffic detected: GET /raw/UjEMadMV HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewASN Name: DINET-ASRU DINET-ASRU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: unknownTCP traffic detected without corresponding DNS query: 94.154.37.129
            Source: global trafficHTTP traffic detected: GET /raw/UjEMadMV HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: lrw6UNGsUC.exe, 00000004.00000002.4518861231.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: lrw6UNGsUC.exe, 00000004.00000002.4518861231.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/UjEMadMV
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49707 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.lrw6UNGsUC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 4.2.lrw6UNGsUC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0174D3A40_2_0174D3A4
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_030266980_2_03026698
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_030200060_2_03020006
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_030200400_2_03020040
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_030266880_2_03026688
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0302EF280_2_0302EF28
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0302EF380_2_0302EF38
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0770CA4B0_2_0770CA4B
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_077086800_2_07708680
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0770B0A00_2_0770B0A0
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0770B0910_2_0770B091
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0770EFD00_2_0770EFD0
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_07708EF00_2_07708EF0
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_07708EE00_2_07708EE0
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_0770AC680_2_0770AC68
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 0_2_07708AB80_2_07708AB8
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C62684_2_011C6268
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C6F404_2_011C6F40
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C90A04_2_011C90A0
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C0C104_2_011C0C10
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C5F204_2_011C5F20
            Source: lrw6UNGsUC.exe, 00000000.00000002.2116414564.00000000041A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000002.2114537774.00000000012CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000002.2115805377.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000002.2117340769.00000000057E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000002.2116414564.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000000.2055013599.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXhur.exe6 vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000000.00000002.2118242784.0000000007710000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exe, 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exeBinary or memory string: OriginalFilenameXhur.exe6 vs lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 4.2.lrw6UNGsUC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 4.2.lrw6UNGsUC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.lrw6UNGsUC.exe.31a1bac.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.lrw6UNGsUC.exe.31996cc.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: lrw6UNGsUC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@1/2
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lrw6UNGsUC.exe.logJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMutant created: \Sessions\1\BaseNamedObjects\7r54Iv7WwsTgLPOp
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMutant created: NULL
            Source: lrw6UNGsUC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: lrw6UNGsUC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: lrw6UNGsUC.exeVirustotal: Detection: 73%
            Source: lrw6UNGsUC.exeReversingLabs: Detection: 75%
            Source: unknownProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: lrw6UNGsUC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: lrw6UNGsUC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: lrw6UNGsUC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: Xhur.pdbSHA256# source: lrw6UNGsUC.exe
            Source: Binary string: Xhur.pdb source: lrw6UNGsUC.exe
            Source: lrw6UNGsUC.exeStatic PE information: 0xCCCE1A38 [Sat Nov 19 04:53:12 2078 UTC]
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C8852 push es; ret 4_2_011C8840
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C58D4 pushfd ; ret 4_2_011C58D5
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C1390 push eax; ret 4_2_011C13CA
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C13D0 push eax; ret 4_2_011C13DA
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C13F0 push eax; ret 4_2_011C13FA
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C13E0 push eax; ret 4_2_011C13EA
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeCode function: 4_2_011C7E12 push eax; iretd 4_2_011C7E19
            Source: lrw6UNGsUC.exeStatic PE information: section name: .text entropy: 7.593770761477395
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: lrw6UNGsUC.exe PID: 320, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 16A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 7EE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 8EE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 9090000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: A090000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: 4E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWindow / User API: threadDelayed 9707Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exe TID: 6348Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exe TID: 2820Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exe TID: 2820Thread sleep time: -30437127721620741s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exe TID: 1272Thread sleep count: 140 > 30Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exe TID: 1272Thread sleep count: 9707 > 30Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: lrw6UNGsUC.exe, 00000004.00000002.4517563477.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeMemory written: C:\Users\user\Desktop\lrw6UNGsUC.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeProcess created: C:\Users\user\Desktop\lrw6UNGsUC.exe "C:\Users\user\Desktop\lrw6UNGsUC.exe"Jump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Users\user\Desktop\lrw6UNGsUC.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Users\user\Desktop\lrw6UNGsUC.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: lrw6UNGsUC.exe, 00000004.00000002.4517563477.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, lrw6UNGsUC.exe, 00000004.00000002.4517563477.0000000001051000.00000004.00000020.00020000.00000000.sdmp, lrw6UNGsUC.exe, 00000004.00000002.4521643122.000000000619A000.00000004.00000020.00020000.00000000.sdmp, lrw6UNGsUC.exe, 00000004.00000002.4517563477.0000000000FA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\lrw6UNGsUC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 4.2.lrw6UNGsUC.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31996cc.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31a1bac.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31a1bac.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31996cc.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: lrw6UNGsUC.exe PID: 320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: lrw6UNGsUC.exe PID: 616, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 4.2.lrw6UNGsUC.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31996cc.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31a1bac.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31a1bac.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.lrw6UNGsUC.exe.31996cc.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: lrw6UNGsUC.exe PID: 320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: lrw6UNGsUC.exe PID: 616, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Query Registry            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory121
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS131
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture1
            Ingress Tool Transfer            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input Capture13
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            lrw6UNGsUC.exe73%VirustotalBrowse
            lrw6UNGsUC.exe75%ReversingLabsByteCode-MSIL.Trojan.Remcos
            lrw6UNGsUC.exe100%AviraHEUR/AGEN.1309499
            lrw6UNGsUC.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            pastebin.com
            		104.20.4.235
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://pastebin.com/raw/UjEMadMVfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelrw6UNGsUC.exe, 00000004.00000002.4518861231.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.20.4.235
                  		pastebin.comUnited States
                  		13335CLOUDFLARENETUSfalse
                  94.154.37.129
                  		unknownUkraine
                  		12695DINET-ASRUtrue

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1588989
                  Start date and time:2025-01-11 08:06:59 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 2s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:lrw6UNGsUC.exe
                  renamed because original name is a hash value
                  Original Sample Name:0e2ab563262e27e9095c4c1e055d25974c7f8d767de7d97d8943306268a54d33.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@5/1@1/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 34
                  • Number of non-executed functions: 13
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 20.109.210.53
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:07:56API Interceptor8753435x Sleep call for process: lrw6UNGsUC.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                  • pastebin.com/raw/sA04Mwk2
                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                  • pastebin.com/raw/sA04Mwk2
                  vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                  • pastebin.com/raw/sA04Mwk2
                  OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                  • pastebin.com/raw/sA04Mwk2
                  gaber.ps1Get hashmaliciousUnknownBrowse
                  • pastebin.com/raw/sA04Mwk2
                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                  • pastebin.com/raw/sA04Mwk2
                  sostener.vbsGet hashmaliciousNjratBrowse
                  • pastebin.com/raw/V9y5Q5vv
                  sostener.vbsGet hashmaliciousXWormBrowse
                  • pastebin.com/raw/V9y5Q5vv
                  envifa.vbsGet hashmaliciousRemcosBrowse
                  • pastebin.com/raw/V9y5Q5vv
                  New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                  • pastebin.com/raw/NsQ5qTHr
                  94.154.37.129YLDUi7gQi7.exeGet hashmaliciousUnknownBrowse
                  • 94.154.37.129/file/1524
                  YLDUi7gQi7.exeGet hashmaliciousUnknownBrowse
                  • 94.154.37.129/file/1524

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  pastebin.com6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                  • 172.67.19.24
                  XClient.exeGet hashmaliciousXWormBrowse
                  • 104.20.4.235
                  18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exeGet hashmaliciousDCRatBrowse
                  • 104.20.3.235
                  Solara_v3.exeGet hashmaliciousUnknownBrowse
                  • 104.20.4.235
                  Solara_v3.exeGet hashmaliciousUnknownBrowse
                  • 104.20.3.235
                  Drivespan.dllGet hashmaliciousUnknownBrowse
                  • 104.20.3.235
                  XClient.exeGet hashmaliciousXWormBrowse
                  • 172.67.19.24
                  ogVinh0jhq.exeGet hashmaliciousDCRatBrowse
                  • 104.20.4.235
                  hiwA7Blv7C.exeGet hashmaliciousXmrigBrowse
                  • 172.67.19.24
                  CRf9KBk4ra.exeGet hashmaliciousDCRatBrowse
                  • 172.67.19.24

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DINET-ASRUYLDUi7gQi7.exeGet hashmaliciousUnknownBrowse
                  • 94.154.37.129
                  YLDUi7gQi7.exeGet hashmaliciousUnknownBrowse
                  • 94.154.37.129
                  mmbasic.exeGet hashmaliciousUnknownBrowse
                  • 89.208.236.251
                  https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63Get hashmaliciousHTMLPhisherBrowse
                  • 95.163.84.7
                  https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtmlGet hashmaliciousHTMLPhisherBrowse
                  • 95.163.84.7
                  https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtmlGet hashmaliciousHTMLPhisherBrowse
                  • 95.163.84.7
                  nsharm7.elfGet hashmaliciousMiraiBrowse
                  • 213.248.5.162
                  https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpegGet hashmaliciousHTMLPhisherBrowse
                  • 213.248.44.211
                  jew.m68k.elfGet hashmaliciousUnknownBrowse
                  • 85.192.49.117
                  bot.spc.elfGet hashmaliciousMiraiBrowse
                  • 85.196.7.237
                  CLOUDFLARENETUSQ7QR4k52HL.exeGet hashmaliciousLummaCBrowse
                  • 104.21.48.1
                  rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                  • 104.21.88.139
                  JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                  • 104.21.80.1
                  xNuh0DUJaG.exeGet hashmaliciousLummaCBrowse
                  • 104.21.80.1
                  c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.21.80.1
                  b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 104.21.80.1
                  ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                  • 104.21.16.1
                  grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.21.96.1
                  14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.21.32.1
                  Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.21.64.1

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0eJWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                  • 104.20.4.235
                  c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.20.4.235
                  ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                  • 104.20.4.235
                  grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.20.4.235
                  14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.20.4.235
                  Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                  • 104.20.4.235
                  JuIZye2xKX.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.20.4.235
                  ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 104.20.4.235
                  sS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                  • 104.20.4.235
                  lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 104.20.4.235

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lrw6UNGsUC.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\lrw6UNGsUC.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.34331486778365
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.582191095085443
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:lrw6UNGsUC.exe
                  File size:487'936 bytes
                  MD5:eb23d50af27df1288faf92898cccc3d3
                  SHA1:f82e28701d256af04e7728c19dd5329dd23760f2
                  SHA256:0e2ab563262e27e9095c4c1e055d25974c7f8d767de7d97d8943306268a54d33
                  SHA512:70fa97b3620b569d4f304b97a3f22ea720b4dcc8007301ee0a54b3d9f901670962a08becd45b43838506d88a6b5eb4a5e4a6e43b26eb5b30202ac5f2c403c457
                  SSDEEP:12288:o8PZsrAXeXzKinig6dpXnWq4U5usx+Xti:o80zKhHV4Ux
                  TLSH:CAA4E0586696DA02C59557B91E71F2B12BB82EDEBA01E3039FD97DEBB839F100C44243
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.................0..h............... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4787d6
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xCCCE1A38 [Sat Nov 19 04:53:12 2078 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x787840x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x5a4.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x76b240x70.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x767dc0x768002ef2800a8d747ee19902434223929737False0.8756613429588608COM executable for DOS7.593770761477395IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x7a0000x5a40x600e01fb17fc2bb4582111156b038947120False0.4205729166666667data4.0676465127493024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x7c0000xc0x2003e37d4a3a0a9c26e6b064b3e1a2e97c2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x7a0900x314data0.4365482233502538
                  RT_MANIFEST0x7a3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-11T08:08:14.749663+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54970994.154.37.1299071TCP
                  2025-01-11T08:10:19.637725+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.54998994.154.37.1299071TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 11, 2025 08:08:01.095926046 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.095972061 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:01.096060991 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.102653980 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.102670908 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:01.582978010 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:01.583050966 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.588610888 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.588625908 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:01.588859081 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:01.637547016 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.662880898 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:01.703340054 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:02.147243023 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:02.147340059 CET44349707104.20.4.235192.168.2.5
                  Jan 11, 2025 08:08:02.147402048 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:02.153655052 CET49707443192.168.2.5104.20.4.235
                  Jan 11, 2025 08:08:02.283359051 CET497099071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:02.288311958 CET90714970994.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:02.291452885 CET497099071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:02.803477049 CET497099071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:02.808515072 CET90714970994.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:14.749663115 CET497099071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:14.754561901 CET90714970994.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:23.674807072 CET90714970994.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:23.674875021 CET497099071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:26.684567928 CET497099071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:26.685465097 CET498349071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:26.689423084 CET90714970994.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:26.690290928 CET90714983494.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:26.690368891 CET498349071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:26.719383001 CET498349071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:26.724196911 CET90714983494.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:37.701613903 CET498349071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:37.706490040 CET90714983494.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:48.061971903 CET90714983494.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:48.062060118 CET498349071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:48.903378010 CET498349071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:48.904256105 CET499759071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:48.908318996 CET90714983494.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:48.909215927 CET90714997594.154.37.129192.168.2.5
                  Jan 11, 2025 08:08:48.909292936 CET499759071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:48.952018023 CET499759071192.168.2.594.154.37.129
                  Jan 11, 2025 08:08:48.956871033 CET90714997594.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:01.201359987 CET499759071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:01.206248045 CET90714997594.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:10.265530109 CET90714997594.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:10.265600920 CET499759071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:10.559607029 CET499759071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:10.560884953 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:10.564507008 CET90714997594.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:10.565749884 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:10.565834999 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:10.604561090 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:10.609447002 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:20.763154984 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:20.767915010 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:20.825301886 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:20.830089092 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:30.965990067 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:30.970828056 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:31.075472116 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:31.080276966 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:31.938508034 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:31.941142082 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:36.075274944 CET499879071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:36.077033997 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:36.080316067 CET90714998794.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:36.081835985 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:36.081938982 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:36.141428947 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:36.146239042 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:50.216172934 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:50.220998049 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:56.887777090 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:56.892688990 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:56.903362989 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:56.908169985 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:56.918931007 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:56.923758984 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:56.997443914 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:57.002370119 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:57.028368950 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:57.033122063 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:57.090972900 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:57.095738888 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:57.122175932 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:57.126986980 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:57.247353077 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:09:57.252319098 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:57.457034111 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:09:57.461174011 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:02.403728962 CET499889071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:02.406725883 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:02.449136019 CET90714998894.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:02.449155092 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:02.449234009 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:02.492876053 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:02.497728109 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:03.169229984 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:03.174038887 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:03.373013973 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:03.378057003 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:08.622153997 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:08.627078056 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:19.637725115 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:19.642715931 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:22.856437922 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:22.861637115 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:23.834918022 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:23.835031986 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:23.965723038 CET499899071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:23.968411922 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:23.970606089 CET90714998994.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:23.973285913 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:23.974030972 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:24.027538061 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:24.032394886 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:24.450229883 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:24.455332994 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:36.201654911 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:36.206417084 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:39.965962887 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:39.970927954 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.279175997 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.284085035 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.350895882 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.350960016 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.351460934 CET499909071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.353029013 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.356215000 CET90714999094.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.357883930 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.358958006 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.423437119 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.428363085 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.434819937 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.439640999 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.497257948 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.502157927 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.513025999 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.517937899 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.528431892 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.533432007 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.669122934 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.674092054 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.700486898 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.705370903 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.716300011 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.721322060 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.856513023 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.861499071 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.872174025 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.877095938 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.887651920 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.892520905 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.934674978 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:45.939502001 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:10:45.997148991 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:10:46.002032042 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:00.085613012 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:00.229975939 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:01.356607914 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:01.361512899 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:06.739324093 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:06.745094061 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:06.748136044 CET499919071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:06.749109030 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:06.752933979 CET90714999194.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:06.753881931 CET90714999294.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:06.756164074 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:06.852065086 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:06.856913090 CET90714999294.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:07.107067108 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:07.111965895 CET90714999294.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:17.825826883 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:17.830730915 CET90714999294.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:28.131198883 CET90714999294.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:28.131259918 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:32.559386969 CET499929071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:32.561290026 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:32.564189911 CET90714999294.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:32.566085100 CET90714999394.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:32.566226006 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:32.641223907 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:32.646051884 CET90714999394.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:45.590966940 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:45.595802069 CET90714999394.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:50.215842962 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:50.220725060 CET90714999394.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:53.975851059 CET90714999394.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:53.975951910 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:58.168911934 CET499939071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:58.171461105 CET499949071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:58.173854113 CET90714999394.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:58.176271915 CET90714999494.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:58.176383018 CET499949071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:58.207715988 CET499949071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:58.212517023 CET90714999494.154.37.129192.168.2.5
                  Jan 11, 2025 08:11:58.779361963 CET499949071192.168.2.594.154.37.129
                  Jan 11, 2025 08:11:58.784326077 CET90714999494.154.37.129192.168.2.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 11, 2025 08:08:01.081582069 CET5165853192.168.2.51.1.1.1
                  Jan 11, 2025 08:08:01.088620901 CET53516581.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 11, 2025 08:08:01.081582069 CET192.168.2.51.1.1.10x4f48Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 11, 2025 08:08:01.088620901 CET1.1.1.1192.168.2.50x4f48No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                  Jan 11, 2025 08:08:01.088620901 CET1.1.1.1192.168.2.50x4f48No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                  Jan 11, 2025 08:08:01.088620901 CET1.1.1.1192.168.2.50x4f48No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • pastebin.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549707104.20.4.235443616C:\Users\user\Desktop\lrw6UNGsUC.exe
                  TimestampBytes transferredDirectionData
                  2025-01-11 07:08:01 UTC74OUTGET /raw/UjEMadMV HTTP/1.1
                  Host: pastebin.com
                  Connection: Keep-Alive
                  2025-01-11 07:08:02 UTC388INHTTP/1.1 200 OK
                  Date: Sat, 11 Jan 2025 07:08:02 GMT
                  Content-Type: text/plain; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  x-frame-options: DENY
                  x-content-type-options: nosniff
                  x-xss-protection: 1;mode=block
                  cache-control: public, max-age=1801
                  CF-Cache-Status: MISS
                  Last-Modified: Sat, 11 Jan 2025 07:08:02 GMT
                  Server: cloudflare
                  CF-RAY: 900312bebed10f42-EWR
                  2025-01-11 07:08:02 UTC24INData Raw: 31 32 0d 0a 39 34 2e 31 35 34 2e 33 37 2e 31 32 39 3a 39 30 37 31 0d 0a
                  Data Ascii: 1294.154.37.129:9071
                  2025-01-11 07:08:02 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:02:07:50
                  Start date:11/01/2025
                  Path:C:\Users\user\Desktop\lrw6UNGsUC.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\lrw6UNGsUC.exe"
                  Imagebase:0xc60000
                  File size:487'936 bytes
                  MD5 hash:EB23D50AF27DF1288FAF92898CCCC3D3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2115805377.0000000003193000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:3
                  Start time:02:07:56
                  Start date:11/01/2025
                  Path:C:\Users\user\Desktop\lrw6UNGsUC.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\lrw6UNGsUC.exe"
                  Imagebase:0x1e0000
                  File size:487'936 bytes
                  MD5 hash:EB23D50AF27DF1288FAF92898CCCC3D3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:4
                  Start time:02:07:56
                  Start date:11/01/2025
                  Path:C:\Users\user\Desktop\lrw6UNGsUC.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\lrw6UNGsUC.exe"
                  Imagebase:0xa30000
                  File size:487'936 bytes
                  MD5 hash:EB23D50AF27DF1288FAF92898CCCC3D3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.4517322441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:10.1%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:3.5%
                    Total number of Nodes:284
                    Total number of Limit Nodes:15
                    execution_graph 39132 770bda0 39137 770c708 39132->39137 39156 770c6b3 39132->39156 39175 770c6c0 39132->39175 39133 770bdaf 39138 770c6ac 39137->39138 39140 770c6fe 39138->39140 39194 770ccf1 39138->39194 39203 770ce6c 39138->39203 39208 770ca4b 39138->39208 39214 770caca 39138->39214 39219 770cbea 39138->39219 39224 770cf08 39138->39224 39229 770cec6 39138->39229 39234 770cfc3 39138->39234 39239 770cc43 39138->39239 39244 770d161 39138->39244 39249 770cd20 39138->39249 39254 770cd7e 39138->39254 39262 770cb3d 39138->39262 39268 770d0fb 39138->39268 39273 770d013 39138->39273 39278 770cc72 39138->39278 39140->39133 39157 770c6c0 39156->39157 39158 770c6fe 39157->39158 39159 770ccf1 2 API calls 39157->39159 39160 770cc72 2 API calls 39157->39160 39161 770d013 2 API calls 39157->39161 39162 770d0fb 2 API calls 39157->39162 39163 770cb3d 2 API calls 39157->39163 39164 770cd7e 4 API calls 39157->39164 39165 770cd20 2 API calls 39157->39165 39166 770d161 2 API calls 39157->39166 39167 770cc43 2 API calls 39157->39167 39168 770cfc3 2 API calls 39157->39168 39169 770cec6 2 API calls 39157->39169 39170 770cf08 2 API calls 39157->39170 39171 770cbea 2 API calls 39157->39171 39172 770caca 2 API calls 39157->39172 39173 770ca4b 2 API calls 39157->39173 39174 770ce6c 2 API calls 39157->39174 39158->39133 39159->39158 39160->39158 39161->39158 39162->39158 39163->39158 39164->39158 39165->39158 39166->39158 39167->39158 39168->39158 39169->39158 39170->39158 39171->39158 39172->39158 39173->39158 39174->39158 39176 770c6da 39175->39176 39177 770c6fe 39176->39177 39178 770ccf1 2 API calls 39176->39178 39179 770cc72 2 API calls 39176->39179 39180 770d013 2 API calls 39176->39180 39181 770d0fb 2 API calls 39176->39181 39182 770cb3d 2 API calls 39176->39182 39183 770cd7e 4 API calls 39176->39183 39184 770cd20 2 API calls 39176->39184 39185 770d161 2 API calls 39176->39185 39186 770cc43 2 API calls 39176->39186 39187 770cfc3 2 API calls 39176->39187 39188 770cec6 2 API calls 39176->39188 39189 770cf08 2 API calls 39176->39189 39190 770cbea 2 API calls 39176->39190 39191 770caca 2 API calls 39176->39191 39192 770ca4b 2 API calls 39176->39192 39193 770ce6c 2 API calls 39176->39193 39177->39133 39178->39177 39179->39177 39180->39177 39181->39177 39182->39177 39183->39177 39184->39177 39185->39177 39186->39177 39187->39177 39188->39177 39189->39177 39190->39177 39191->39177 39192->39177 39193->39177 39195 770d1dc 39194->39195 39198 770cc4f 39194->39198 39283 770b598 39195->39283 39287 770b590 39195->39287 39196 770d50a 39196->39140 39197 770d295 39198->39196 39201 770b590 WriteProcessMemory 39198->39201 39202 770b598 WriteProcessMemory 39198->39202 39201->39197 39202->39197 39204 770cc4f 39203->39204 39204->39203 39206 770b590 WriteProcessMemory 39204->39206 39207 770b598 WriteProcessMemory 39204->39207 39205 770d295 39206->39205 39207->39205 39209 770ca58 39208->39209 39210 770d6a1 39209->39210 39291 770b820 39209->39291 39295 770b814 39209->39295 39215 770cad4 39214->39215 39217 770b820 CreateProcessA 39215->39217 39218 770b814 CreateProcessA 39215->39218 39216 770cc24 39216->39140 39217->39216 39218->39216 39220 770cbf0 39219->39220 39221 770cc24 39220->39221 39222 770b820 CreateProcessA 39220->39222 39223 770b814 CreateProcessA 39220->39223 39221->39140 39222->39221 39223->39221 39225 770cf0e 39224->39225 39227 770b590 WriteProcessMemory 39225->39227 39228 770b598 WriteProcessMemory 39225->39228 39226 770cf40 39227->39226 39228->39226 39231 770cc4f 39229->39231 39230 770d295 39232 770b590 WriteProcessMemory 39231->39232 39233 770b598 WriteProcessMemory 39231->39233 39232->39230 39233->39230 39235 770cc8a 39234->39235 39236 770cc9f 39235->39236 39299 770aae0 39235->39299 39303 770aad8 39235->39303 39236->39140 39241 770cc4f 39239->39241 39240 770d295 39242 770b590 WriteProcessMemory 39241->39242 39243 770b598 WriteProcessMemory 39241->39243 39242->39240 39243->39240 39245 770d2fa 39244->39245 39307 770d958 39245->39307 39312 770d968 39245->39312 39246 770d313 39250 770ce32 39249->39250 39252 770ab90 Wow64SetThreadContext 39250->39252 39253 770ab88 Wow64SetThreadContext 39250->39253 39251 770ce4d 39252->39251 39253->39251 39325 770b4d1 39254->39325 39330 770b4d8 39254->39330 39255 770cd9c 39256 770d08c 39255->39256 39260 770b590 WriteProcessMemory 39255->39260 39261 770b598 WriteProcessMemory 39255->39261 39256->39140 39257 770cf40 39260->39257 39261->39257 39264 770caca 39262->39264 39263 770cbb5 39263->39140 39264->39263 39266 770b820 CreateProcessA 39264->39266 39267 770b814 CreateProcessA 39264->39267 39265 770cc24 39265->39140 39266->39265 39267->39265 39270 770cc4f 39268->39270 39269 770d295 39271 770b590 WriteProcessMemory 39270->39271 39272 770b598 WriteProcessMemory 39270->39272 39271->39269 39272->39269 39274 770d019 39273->39274 39334 770b683 39274->39334 39338 770b688 39274->39338 39275 770d03c 39275->39140 39279 770cc79 39278->39279 39281 770aae0 ResumeThread 39279->39281 39282 770aad8 ResumeThread 39279->39282 39280 770cc9f 39280->39140 39281->39280 39282->39280 39284 770b59b WriteProcessMemory 39283->39284 39286 770b637 39284->39286 39286->39198 39288 770b594 WriteProcessMemory 39287->39288 39290 770b637 39288->39290 39290->39198 39292 770b8a9 CreateProcessA 39291->39292 39294 770ba6b 39292->39294 39296 770b820 CreateProcessA 39295->39296 39298 770ba6b 39296->39298 39300 770aae3 ResumeThread 39299->39300 39302 770ab51 39300->39302 39302->39236 39304 770aadc ResumeThread 39303->39304 39306 770ab51 39304->39306 39306->39236 39308 770d95c 39307->39308 39317 770ab90 39308->39317 39321 770ab88 39308->39321 39309 770d993 39309->39246 39313 770d96b 39312->39313 39315 770ab90 Wow64SetThreadContext 39313->39315 39316 770ab88 Wow64SetThreadContext 39313->39316 39314 770d993 39314->39246 39315->39314 39316->39314 39318 770abd5 Wow64SetThreadContext 39317->39318 39320 770ac1d 39318->39320 39320->39309 39322 770ab90 Wow64SetThreadContext 39321->39322 39324 770ac1d 39322->39324 39324->39309 39326 770b4d4 39325->39326 39327 770b522 VirtualAllocEx 39326->39327 39328 770b47d 39326->39328 39329 770b555 39327->39329 39328->39255 39329->39255 39331 770b4db VirtualAllocEx 39330->39331 39333 770b555 39331->39333 39333->39255 39335 770b6d3 ReadProcessMemory 39334->39335 39337 770b717 39335->39337 39337->39275 39339 770b6d3 ReadProcessMemory 39338->39339 39341 770b717 39339->39341 39341->39275 39342 770d9a1 39345 770d9a4 39342->39345 39343 770db63 39345->39343 39346 7709e00 39345->39346 39347 770dc58 PostMessageW 39346->39347 39349 770dcc4 39347->39349 39349->39345 39108 174acf0 39112 174ade8 39108->39112 39117 174add8 39108->39117 39109 174acff 39113 174ae1c 39112->39113 39114 174adf9 39112->39114 39113->39109 39114->39113 39115 174b020 GetModuleHandleW 39114->39115 39116 174b04d 39115->39116 39116->39109 39118 174ae1c 39117->39118 39119 174adf9 39117->39119 39118->39109 39119->39118 39120 174b020 GetModuleHandleW 39119->39120 39121 174b04d 39120->39121 39121->39109 39460 174d6c0 DuplicateHandle 39461 174d756 39460->39461 39456 770d9d8 39458 770d9db 39456->39458 39457 770db63 39458->39457 39459 7709e00 PostMessageW 39458->39459 39459->39458 39350 3026698 39351 30266c2 39350->39351 39358 3026584 39351->39358 39354 3026584 2 API calls 39355 3026730 39354->39355 39356 3026584 2 API calls 39355->39356 39357 302675f 39356->39357 39359 302658f 39358->39359 39362 3026634 39359->39362 39361 3026701 39361->39354 39363 302663f 39362->39363 39367 1745cfc 39363->39367 39371 1748349 39363->39371 39364 30272dc 39364->39361 39368 1745d07 39367->39368 39369 1748649 39368->39369 39375 174cda0 39368->39375 39369->39364 39373 1748355 39371->39373 39372 1748649 39372->39364 39373->39372 39374 174cda0 2 API calls 39373->39374 39374->39372 39376 174cdd1 39375->39376 39377 174cdf5 39376->39377 39379 174cf60 39376->39379 39377->39369 39380 174cf6d 39379->39380 39382 174cfa7 39380->39382 39383 174b7c0 39380->39383 39382->39377 39384 174b7cb 39383->39384 39386 174dcb8 39384->39386 39387 174d0c4 39384->39387 39386->39386 39388 174d0cf 39387->39388 39389 1745cfc 2 API calls 39388->39389 39390 174dd27 39389->39390 39394 174fa90 39390->39394 39399 174faa8 39390->39399 39391 174dd61 39391->39386 39395 174fae5 39394->39395 39396 174fad9 39394->39396 39395->39391 39396->39395 39404 30209c0 39396->39404 39408 30209af 39396->39408 39400 174fad9 39399->39400 39401 174fae5 39399->39401 39400->39401 39402 30209c0 2 API calls 39400->39402 39403 30209af 2 API calls 39400->39403 39401->39391 39402->39401 39403->39401 39405 30209eb 39404->39405 39406 3020a9a 39405->39406 39412 3021790 39405->39412 39406->39406 39409 30209eb 39408->39409 39410 3020a9a 39409->39410 39411 3021790 2 API calls 39409->39411 39411->39410 39413 30217d6 39412->39413 39413->39413 39415 30218f0 CreateWindowExW 39413->39415 39416 30218e4 CreateWindowExW 39413->39416 39414 30218d5 39414->39406 39415->39414 39416->39414 39122 174d478 39123 174d4be GetCurrentProcess 39122->39123 39125 174d510 GetCurrentThread 39123->39125 39126 174d509 39123->39126 39127 174d546 39125->39127 39128 174d54d GetCurrentProcess 39125->39128 39126->39125 39127->39128 39131 174d583 39128->39131 39129 174d5ab GetCurrentThreadId 39130 174d5dc 39129->39130 39131->39129 39417 1744668 39418 174467a 39417->39418 39419 1744686 39418->39419 39423 1744778 39418->39423 39428 1743e34 39419->39428 39421 17446a5 39424 174479d 39423->39424 39432 1744878 39424->39432 39436 1744888 39424->39436 39429 1743e3f 39428->39429 39444 1745c7c 39429->39444 39431 1746ff1 39431->39421 39434 1744888 39432->39434 39433 174498c 39433->39433 39434->39433 39440 17444b4 39434->39440 39438 17448af 39436->39438 39437 174498c 39437->39437 39438->39437 39439 17444b4 CreateActCtxA 39438->39439 39439->39437 39441 1745918 CreateActCtxA 39440->39441 39443 17459db 39441->39443 39445 1745c87 39444->39445 39448 1745c9c 39445->39448 39447 174712d 39447->39431 39449 1745ca7 39448->39449 39452 1745ccc 39449->39452 39451 1747202 39451->39447 39453 1745cd7 39452->39453 39454 1745cfc 2 API calls 39453->39454 39455 1747305 39454->39455 39455->39451 39462 302407e 39463 3024092 39462->39463 39465 3024099 39462->39465 39464 30240ea CallWindowProcW 39463->39464 39463->39465 39464->39465

                    Executed Functions

                    Function 03026688 Relevance: .5, Instructions: 483COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4e2b546e43fd05d8e0765bf325572c4a0e082d23e9c94e4503fe322e5f761565
                    • Instruction ID: 4972e5ed8809e285cc6d16c6ec49d2993ade854e9416b54cdaca7adc141f91e5
                    • Opcode Fuzzy Hash: 4e2b546e43fd05d8e0765bf325572c4a0e082d23e9c94e4503fe322e5f761565
                    • Instruction Fuzzy Hash: 0832A434E01219CFCB14DFA5C894ADDB7B6FF8A300F1085AAD809AB365DB75A985CF50
                    Function 03026698 Relevance: .5, Instructions: 483COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c092a1f32e7f905b106eeeb930cf47c75a74363f2ed2643faa6917c5ed62480
                    • Instruction ID: 89fc4f81a959929643a1ba3c88f811376f68eec0b168c1cae6484c63b0624df5
                    • Opcode Fuzzy Hash: 8c092a1f32e7f905b106eeeb930cf47c75a74363f2ed2643faa6917c5ed62480
                    • Instruction Fuzzy Hash: 4D32A534E01219CFDB14DFA5C894A9DB7B6FF89300F1085AAD809AB365DB71AD85CF50
                    Function 0770CA4B Relevance: .1, Instructions: 137COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f719bc30d22a0dceb92b433951803e8d1eb630fbb794ec15b30eff95e5292643
                    • Instruction ID: 87adb477b4cb0966b4b0a82bc7cbdf673fc7646bef3edfaec5ee51daeda5a3a9
                    • Opcode Fuzzy Hash: f719bc30d22a0dceb92b433951803e8d1eb630fbb794ec15b30eff95e5292643
                    • Instruction Fuzzy Hash: 6251F4B4D08228CFEB25CF66C844BDDBBF6AB89340F14C1EAC409A7295DB744A85CF50
                    Function 0174D468 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 294 174d468-174d507 GetCurrentProcess 298 174d510-174d544 GetCurrentThread 294->298 299 174d509-174d50f 294->299 300 174d546-174d54c 298->300 301 174d54d-174d581 GetCurrentProcess 298->301 299->298 300->301 302 174d583-174d589 301->302 303 174d58a-174d5a5 call 174d647 301->303 302->303 307 174d5ab-174d5da GetCurrentThreadId 303->307 308 174d5e3-174d645 307->308 309 174d5dc-174d5e2 307->309 309->308
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0174D4F6
                    • GetCurrentThread.KERNEL32 ref: 0174D533
                    • GetCurrentProcess.KERNEL32 ref: 0174D570
                    • GetCurrentThreadId.KERNEL32 ref: 0174D5C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 4a717f9e699031a84eecfb5d2359c76fb3ea75f5488a5315b98e685ea42193a8
                    • Instruction ID: 5d249d12c6dc1f7e60ca5fe136507b38ac6876890b51382ba0cdd5b21382e7d2
                    • Opcode Fuzzy Hash: 4a717f9e699031a84eecfb5d2359c76fb3ea75f5488a5315b98e685ea42193a8
                    • Instruction Fuzzy Hash: D15146B09002498FDB18DFA9D548BAEFFF1FF49304F208469D509A7260DB399984CFA5
                    Function 0174D478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 316 174d478-174d507 GetCurrentProcess 320 174d510-174d544 GetCurrentThread 316->320 321 174d509-174d50f 316->321 322 174d546-174d54c 320->322 323 174d54d-174d581 GetCurrentProcess 320->323 321->320 322->323 324 174d583-174d589 323->324 325 174d58a-174d5a5 call 174d647 323->325 324->325 329 174d5ab-174d5da GetCurrentThreadId 325->329 330 174d5e3-174d645 329->330 331 174d5dc-174d5e2 329->331 331->330
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0174D4F6
                    • GetCurrentThread.KERNEL32 ref: 0174D533
                    • GetCurrentProcess.KERNEL32 ref: 0174D570
                    • GetCurrentThreadId.KERNEL32 ref: 0174D5C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 0b985f6f851c524f6079bf3ff36215a366c11d46b5c6f6b0ea43485e9b3d7076
                    • Instruction ID: fd589faedb61be0c2ddd3ab3a6d565fe307b66791adb4744a0f7a108bfc4d34c
                    • Opcode Fuzzy Hash: 0b985f6f851c524f6079bf3ff36215a366c11d46b5c6f6b0ea43485e9b3d7076
                    • Instruction Fuzzy Hash: E65157B09002098FDB14DFAAD548BAEFBF1FF49304F208459D509A7360DB759984CFA5
                    Function 0770B814 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 361 770b814-770b8b5 364 770b8b7-770b8c1 361->364 365 770b8ee-770b90e 361->365 364->365 366 770b8c3-770b8c5 364->366 370 770b910-770b91a 365->370 371 770b947-770b976 365->371 368 770b8c7-770b8d1 366->368 369 770b8e8-770b8eb 366->369 372 770b8d3 368->372 373 770b8d5-770b8e4 368->373 369->365 370->371 374 770b91c-770b91e 370->374 381 770b978-770b982 371->381 382 770b9af-770ba69 CreateProcessA 371->382 372->373 373->373 375 770b8e6 373->375 376 770b920-770b92a 374->376 377 770b941-770b944 374->377 375->369 379 770b92c 376->379 380 770b92e-770b93d 376->380 377->371 379->380 380->380 383 770b93f 380->383 381->382 384 770b984-770b986 381->384 393 770ba72-770baf8 382->393 394 770ba6b-770ba71 382->394 383->377 385 770b988-770b992 384->385 386 770b9a9-770b9ac 384->386 388 770b994 385->388 389 770b996-770b9a5 385->389 386->382 388->389 389->389 390 770b9a7 389->390 390->386 404 770bb08-770bb0c 393->404 405 770bafa-770bafe 393->405 394->393 406 770bb1c-770bb20 404->406 407 770bb0e-770bb12 404->407 405->404 408 770bb00 405->408 410 770bb30-770bb34 406->410 411 770bb22-770bb26 406->411 407->406 409 770bb14 407->409 408->404 409->406 413 770bb46-770bb4d 410->413 414 770bb36-770bb3c 410->414 411->410 412 770bb28 411->412 412->410 415 770bb64 413->415 416 770bb4f-770bb5e 413->416 414->413 417 770bb65 415->417 416->415 417->417
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0770BA56
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 72a92b8f3151a4e0906b926f157c5a313bf78b649864c8fc4aaa7faf51427252
                    • Instruction ID: 22fe2fe648397858f50220337d19451ee45cb441cb300d237a4c0eaa78d02792
                    • Opcode Fuzzy Hash: 72a92b8f3151a4e0906b926f157c5a313bf78b649864c8fc4aaa7faf51427252
                    • Instruction Fuzzy Hash: B2A15CB1D1021ACFDB14CFA8CC41BEDBBF2AF48350F0485A9D858A72A4D7749A85CF91
                    Function 0770B820 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 419 770b820-770b8b5 421 770b8b7-770b8c1 419->421 422 770b8ee-770b90e 419->422 421->422 423 770b8c3-770b8c5 421->423 427 770b910-770b91a 422->427 428 770b947-770b976 422->428 425 770b8c7-770b8d1 423->425 426 770b8e8-770b8eb 423->426 429 770b8d3 425->429 430 770b8d5-770b8e4 425->430 426->422 427->428 431 770b91c-770b91e 427->431 438 770b978-770b982 428->438 439 770b9af-770ba69 CreateProcessA 428->439 429->430 430->430 432 770b8e6 430->432 433 770b920-770b92a 431->433 434 770b941-770b944 431->434 432->426 436 770b92c 433->436 437 770b92e-770b93d 433->437 434->428 436->437 437->437 440 770b93f 437->440 438->439 441 770b984-770b986 438->441 450 770ba72-770baf8 439->450 451 770ba6b-770ba71 439->451 440->434 442 770b988-770b992 441->442 443 770b9a9-770b9ac 441->443 445 770b994 442->445 446 770b996-770b9a5 442->446 443->439 445->446 446->446 447 770b9a7 446->447 447->443 461 770bb08-770bb0c 450->461 462 770bafa-770bafe 450->462 451->450 463 770bb1c-770bb20 461->463 464 770bb0e-770bb12 461->464 462->461 465 770bb00 462->465 467 770bb30-770bb34 463->467 468 770bb22-770bb26 463->468 464->463 466 770bb14 464->466 465->461 466->463 470 770bb46-770bb4d 467->470 471 770bb36-770bb3c 467->471 468->467 469 770bb28 468->469 469->467 472 770bb64 470->472 473 770bb4f-770bb5e 470->473 471->470 474 770bb65 472->474 473->472 474->474
                    APIs
                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0770BA56
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: CreateProcess
                    • String ID:
                    • API String ID: 963392458-0
                    • Opcode ID: 837afe7a6c52cd1a4d0a3c34f43164f90a6f1d41d0eb0b48f17f1d1d76321d38
                    • Instruction ID: 24794a747f545ee992e922d720813f9397421a2c1dc79fb2b2e1780c86d64592
                    • Opcode Fuzzy Hash: 837afe7a6c52cd1a4d0a3c34f43164f90a6f1d41d0eb0b48f17f1d1d76321d38
                    • Instruction Fuzzy Hash: 97914CB1D1021ACFDB14DFA8CC41BEDBBF2AF48350F148569D818A72A4D7749A85CF91
                    Function 0174ADE8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 476 174ade8-174adf7 477 174ae23-174ae27 476->477 478 174adf9-174ae06 call 1749414 476->478 480 174ae29-174ae33 477->480 481 174ae3b-174ae7c 477->481 483 174ae1c 478->483 484 174ae08 478->484 480->481 487 174ae7e-174ae86 481->487 488 174ae89-174ae97 481->488 483->477 531 174ae0e call 174b070 484->531 532 174ae0e call 174b080 484->532 487->488 489 174ae99-174ae9e 488->489 490 174aebb-174aebd 488->490 492 174aea0-174aea7 call 174a150 489->492 493 174aea9 489->493 495 174aec0-174aec7 490->495 491 174ae14-174ae16 491->483 494 174af58-174b018 491->494 497 174aeab-174aeb9 492->497 493->497 526 174b020-174b04b GetModuleHandleW 494->526 527 174b01a-174b01d 494->527 498 174aed4-174aedb 495->498 499 174aec9-174aed1 495->499 497->495 501 174aedd-174aee5 498->501 502 174aee8-174aef1 call 174a160 498->502 499->498 501->502 507 174aef3-174aefb 502->507 508 174aefe-174af03 502->508 507->508 509 174af05-174af0c 508->509 510 174af21-174af2e 508->510 509->510 512 174af0e-174af1e call 174a170 call 174a180 509->512 517 174af30-174af4e 510->517 518 174af51-174af57 510->518 512->510 517->518 528 174b054-174b068 526->528 529 174b04d-174b053 526->529 527->526 529->528 531->491 532->491
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0174B03E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 4119070696038db0dbc4ff56eb6a3b37cd94b0c3c7a6ba7d7b02a4cc1a4e3a7e
                    • Instruction ID: b43906853a5e2d12eae04ad3102e2d04ff2f7550bd25ee803a8a8b019b23a69d
                    • Opcode Fuzzy Hash: 4119070696038db0dbc4ff56eb6a3b37cd94b0c3c7a6ba7d7b02a4cc1a4e3a7e
                    • Instruction Fuzzy Hash: 9E712270A00B058FEB24DF6AD54576ABBF1FF88300F008A2DD55AD7A50DB75E949CB90
                    Function 030218E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 533 30218e4-3021956 534 3021961-3021968 533->534 535 3021958-302195e 533->535 536 3021973-3021a12 CreateWindowExW 534->536 537 302196a-3021970 534->537 535->534 539 3021a14-3021a1a 536->539 540 3021a1b-3021a53 536->540 537->536 539->540 544 3021a60 540->544 545 3021a55-3021a58 540->545 546 3021a61 544->546 545->544 546->546
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03021A02
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 23e766372e9e0cc6decc41743697e89fbfe1e8421848db3e48f5c73c966eb35c
                    • Instruction ID: 8a9db4ddc6848c6276e3ef1e5fa686d8b13830977e6e49c247730d34b1c43911
                    • Opcode Fuzzy Hash: 23e766372e9e0cc6decc41743697e89fbfe1e8421848db3e48f5c73c966eb35c
                    • Instruction Fuzzy Hash: 3751E0B1C113599FDB18CFA9C984ADEFFB5BF48310F24812AE819AB210D7749985CF90
                    Function 030218F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 658 30218f0-3021956 659 3021961-3021968 658->659 660 3021958-302195e 658->660 661 3021973-3021a12 CreateWindowExW 659->661 662 302196a-3021970 659->662 660->659 664 3021a14-3021a1a 661->664 665 3021a1b-3021a53 661->665 662->661 664->665 669 3021a60 665->669 670 3021a55-3021a58 665->670 671 3021a61 669->671 670->669 671->671
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 03021A02
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: b3a367c8e32f194db5e6f45a3669cd7619b77315964f157263cdb96b145afa25
                    • Instruction ID: fa131c8c0e82e3127ba1be94c97ed23d89c7321b26d4e6b435cc14fc22a5f563
                    • Opcode Fuzzy Hash: b3a367c8e32f194db5e6f45a3669cd7619b77315964f157263cdb96b145afa25
                    • Instruction Fuzzy Hash: 6141CEB1D113599FDB18CF9AC984ADEFFB5BF48310F24812AE819AB210D7749985CF90
                    Function 017444B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 672 17444b4-17459d9 CreateActCtxA 675 17459e2-1745a3c 672->675 676 17459db-17459e1 672->676 683 1745a3e-1745a41 675->683 684 1745a4b-1745a4f 675->684 676->675 683->684 685 1745a60 684->685 686 1745a51-1745a5d 684->686 688 1745a61 685->688 686->685 688->688
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 017459C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: ce5e293d3dc6e27a312c13c5f41a5561fa30e7d14500e25c0f488cfbf3a213b8
                    • Instruction ID: f843d8a150fc316327df8885730fabad6e7f777d194a6f48543036ad1bc44cf9
                    • Opcode Fuzzy Hash: ce5e293d3dc6e27a312c13c5f41a5561fa30e7d14500e25c0f488cfbf3a213b8
                    • Instruction Fuzzy Hash: 6141DFB0C00719CBEB24DFAAC884A9EBBB5BF49304F20806AD519AB255DB756945CF90
                    Function 0174590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 689 174590c-1745913 690 174591c-17459d9 CreateActCtxA 689->690 692 17459e2-1745a3c 690->692 693 17459db-17459e1 690->693 700 1745a3e-1745a41 692->700 701 1745a4b-1745a4f 692->701 693->692 700->701 702 1745a60 701->702 703 1745a51-1745a5d 701->703 705 1745a61 702->705 703->702 705->705
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 017459C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 152fef2d9711e1539e20d1ea55eb5055b724ff33ad60aa02e7202b2bff98c715
                    • Instruction ID: a0ca5ac81d1da39511e9165fd59ef6d9c57aa12220144c58cf2d69fe573d21ef
                    • Opcode Fuzzy Hash: 152fef2d9711e1539e20d1ea55eb5055b724ff33ad60aa02e7202b2bff98c715
                    • Instruction Fuzzy Hash: 6941FFB0C00719CFEB24CFAAC984BDDBBB5BF49304F20806AD419AB255DB755946CF90
                    Function 0770B4D1 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 706 770b4d1-770b4d2 707 770b4d4 706->707 708 770b4db-770b4de 706->708 709 770b4d6 707->709 710 770b47d-770b4a0 707->710 711 770b4df-770b553 VirtualAllocEx 708->711 709->711 712 770b4d8-770b4d9 709->712 715 770b4a2-770b4a8 710->715 716 770b4aa 710->716 719 770b555-770b55b 711->719 720 770b55c-770b581 711->720 712->708 717 770b4ad-770b4c2 715->717 716->717 719->720
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0770B546
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 569357bb8a8c3bec688a2787c0756d07ebeeab0590967162b81b4a8794284ddb
                    • Instruction ID: 4f3db4803fe32ca9d270208af05e70f1d5610c27b4387a74872256c27c841275
                    • Opcode Fuzzy Hash: 569357bb8a8c3bec688a2787c0756d07ebeeab0590967162b81b4a8794284ddb
                    • Instruction Fuzzy Hash: 183158B1D04249CFCB10DFA9D885AEEBFF5EF48324F20845AE515A72A4C735AA40CF90
                    Function 0302407E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 726 302407e-302408c 727 3024092-3024097 726->727 728 302413c-302415c 726->728 729 30240ea-3024122 CallWindowProcW 727->729 730 3024099-30240d0 727->730 734 302415f-302416c 728->734 732 3024124-302412a 729->732 733 302412b-302413a 729->733 736 30240d2-30240d8 730->736 737 30240d9-30240e8 730->737 732->733 733->734 736->737 737->734
                    APIs
                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 03024111
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: CallProcWindow
                    • String ID:
                    • API String ID: 2714655100-0
                    • Opcode ID: c991bdbc79fdd0492bf2c66a28b944fb4cf611b98e31a799820431f20496cdaa
                    • Instruction ID: 4a02e3b68b4ff33e2fc8b568866bb5a92bc10042f39d8f856a17eb58d9db7120
                    • Opcode Fuzzy Hash: c991bdbc79fdd0492bf2c66a28b944fb4cf611b98e31a799820431f20496cdaa
                    • Instruction Fuzzy Hash: DF31EAB5A003158FDB14CF9AC488AAAFBF5FB98314F14C599D5199B321D374A841CF60
                    Function 0770AB88 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 740 770ab88-770abdb 743 770abeb-770ac1b Wow64SetThreadContext 740->743 744 770abdd-770abe9 740->744 746 770ac24-770ac54 743->746 747 770ac1d-770ac23 743->747 744->743 747->746
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0770AC0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: 3bfadebb94c44e0a49357183b220511c2585652d4ffebf404b089cafe2afd811
                    • Instruction ID: 18db552df370cb89ac347e2933f117355425a2a21296277162414d8780e02cfc
                    • Opcode Fuzzy Hash: 3bfadebb94c44e0a49357183b220511c2585652d4ffebf404b089cafe2afd811
                    • Instruction Fuzzy Hash: 722127B19003099FDB14DFAAC585BEFBBF5EF48314F108829D559A7280C7789585CBA0
                    Function 0770B590 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0770B628
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 5c3f695b7c6019a7bcb2fe6aa07f68c84cca3ebeeff3eb96eaa9d232e1afabc9
                    • Instruction ID: 25232ba626061755d9ccca41f48c9e28d5ec91609106f357b758b350c231ed5d
                    • Opcode Fuzzy Hash: 5c3f695b7c6019a7bcb2fe6aa07f68c84cca3ebeeff3eb96eaa9d232e1afabc9
                    • Instruction Fuzzy Hash: 87214BB5900249DFDB14CFAAC9447EEBBF1FF48310F108429E518A7250D7789944CBA0
                    Function 0770B598 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0770B628
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 6d656d3b577635086feedf25b503a7e6221f445c0dae6fa9eb7322fff42a773d
                    • Instruction ID: 3d2549c78f4b9f73ced71f4a2c9b557d0dfb9666475234c9336abe9be5816623
                    • Opcode Fuzzy Hash: 6d656d3b577635086feedf25b503a7e6221f445c0dae6fa9eb7322fff42a773d
                    • Instruction Fuzzy Hash: F42127B5900349DFCB10DFAAC985BEEBBF5FF48310F108429E919A7250D7789944CBA0
                    Function 0770B683 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0770B708
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: 7e0410ef018eaed539dd797ca3c076433dec1d1d181e055c3fdd1737b8374718
                    • Instruction ID: 6dc24a112cbc01db59b9351f30a7f1af75f5fa9e0212ad3907214d181d4366d5
                    • Opcode Fuzzy Hash: 7e0410ef018eaed539dd797ca3c076433dec1d1d181e055c3fdd1737b8374718
                    • Instruction Fuzzy Hash: 4C21F8B1D01259DFDB14DFAAC985AEEBBF5FF48310F10842AE519A7250C7389545CFA0
                    Function 0174D6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D747
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 7dac36769daca8c088e5cb6d06e8d029366c8de9b48f70f728a2817234f675b9
                    • Instruction ID: 92d155e2faecadae9494c435673c3f38e3184357cc89d97bee465b92ddabd5b6
                    • Opcode Fuzzy Hash: 7dac36769daca8c088e5cb6d06e8d029366c8de9b48f70f728a2817234f675b9
                    • Instruction Fuzzy Hash: 9021E5B59002489FDB10CFAAD985AEEFFF5EB48310F14801AE958A3211C378A944CFA0
                    Function 0770B688 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0770B708
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: MemoryProcessRead
                    • String ID:
                    • API String ID: 1726664587-0
                    • Opcode ID: f3c5b094a62d770df5cf7b91ac9d2c4941e6c701003122880801590b49d286b5
                    • Instruction ID: b9a7a3e91c7d1ff5993f2a05ac631c5499be21a963843c6ffc657904703d5f15
                    • Opcode Fuzzy Hash: f3c5b094a62d770df5cf7b91ac9d2c4941e6c701003122880801590b49d286b5
                    • Instruction Fuzzy Hash: 4E21F8B1C003599FCB10DFAAC985AEEBBF5FF48310F50842AE519A7250C7789544CBA0
                    Function 0770AB90 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                    Download Yara Rule
                    APIs
                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0770AC0E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: ContextThreadWow64
                    • String ID:
                    • API String ID: 983334009-0
                    • Opcode ID: d876bf6711da7c0127214960e8abf93a22c327f380282eb132e047c1e02162b9
                    • Instruction ID: 177675d70e7109763e54f0565484ccf56e56828ce87765d09632e40f99588e0f
                    • Opcode Fuzzy Hash: d876bf6711da7c0127214960e8abf93a22c327f380282eb132e047c1e02162b9
                    • Instruction Fuzzy Hash: 102118B1D003098FDB14DFAAC9857AEBBF5EF48314F14C429D519A7240CB789984CFA0
                    Function 0174D6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0174D747
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: cb6db076dd7c5ea06efeecbacc19f4138a99e6c75eb5e7f881d8376cb584a17a
                    • Instruction ID: 17f7b3ea07784c92bff6d6d6505c43d5267f3b9487c30c6844424b6f2e4ee6a2
                    • Opcode Fuzzy Hash: cb6db076dd7c5ea06efeecbacc19f4138a99e6c75eb5e7f881d8376cb584a17a
                    • Instruction Fuzzy Hash: 7E21C4B59002489FDB10CF9AD984ADEFFF9FB48310F14841AE958A3350D378A944CFA5
                    Function 0770B4D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0770B546
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 6671bee3c60d6b2eb3316ce76ce822886dad24521c55a657457b1f2c9a88df02
                    • Instruction ID: 31ff5f854b38430aefff27d48d6eef22b7b80a8c0a9903e6312fe74384a093e2
                    • Opcode Fuzzy Hash: 6671bee3c60d6b2eb3316ce76ce822886dad24521c55a657457b1f2c9a88df02
                    • Instruction Fuzzy Hash: 4D1119B1900249DFCB14DFAAC945AEFBFF5EF48320F148819E519A7250C779A944CFA0
                    Function 0770DC50 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0770DCB5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: 5ce0bc2e5c540853b4b6811eda4c710b8d3a70e029aaeb5bef499bdbedfe0673
                    • Instruction ID: d4d2bfe33eff80a18f75c75af69e3716f181a0f106ba8f1838c062b309dbed2c
                    • Opcode Fuzzy Hash: 5ce0bc2e5c540853b4b6811eda4c710b8d3a70e029aaeb5bef499bdbedfe0673
                    • Instruction Fuzzy Hash: 7011F3B19003499FDB20CF99C945BDEBFF8EB49354F108819D514A7240C3B9A544CFE5
                    Function 0770AAD8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: 6f4745dd35e036d38493bde90020a82a1a11a368c2f9f54f6d989bf1ee928067
                    • Instruction ID: 6b1f3a97d23933bbb8fedd096f4ba2d68987e6d12831e2c1b097d8c6c45dae35
                    • Opcode Fuzzy Hash: 6f4745dd35e036d38493bde90020a82a1a11a368c2f9f54f6d989bf1ee928067
                    • Instruction Fuzzy Hash: 751149B1D003498EDB24DFAAC4447AEFFF5EF89314F14881AD019A7240C7395544CBA4
                    Function 0770AAE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: b13b38363e4154a2ab96668e59c63cfdcf3ce3c81cdf4cff02db23701463c29d
                    • Instruction ID: b6a724b5c3fb5027f3bc6042e2fc8271bf8fd03ab061b8f5f4c5c4aca8cba8ba
                    • Opcode Fuzzy Hash: b13b38363e4154a2ab96668e59c63cfdcf3ce3c81cdf4cff02db23701463c29d
                    • Instruction Fuzzy Hash: AC1128B1D003498FCB14DFAAC8457AEFBF5EF88320F108419D519A7240CB79A944CBA4
                    Function 07709E00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0770DCB5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: MessagePost
                    • String ID:
                    • API String ID: 410705778-0
                    • Opcode ID: 5cfaeb40cc0184f6720058ef6f4b6ffd1fddc788bb6ade1e7b81be7e4b2611d6
                    • Instruction ID: 1aec7dd1863f95fe3f27ac3fb96995f97e7e0650bcf661d526c20b404381e5bf
                    • Opcode Fuzzy Hash: 5cfaeb40cc0184f6720058ef6f4b6ffd1fddc788bb6ade1e7b81be7e4b2611d6
                    • Instruction Fuzzy Hash: F211E3B5900349DFDB20DF99C945BEEBBF8EB49310F108419E518A7240C375A944CFE1
                    Function 0174AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0174B03E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 510a0cd4045962236b34b2efecf2fa13a2be6caf77349c539010d93ae137fb0f
                    • Instruction ID: f85550060d3c1086b3d209e24c12513afcf8425f74f4b909f1608e5526c1b3a1
                    • Opcode Fuzzy Hash: 510a0cd4045962236b34b2efecf2fa13a2be6caf77349c539010d93ae137fb0f
                    • Instruction Fuzzy Hash: 5C11DFB5C002498FDB14DF9AD844ADEFBF4AB88214F10842AD529A7610D379A945CFA1
                    Function 012AD01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2114463144.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_12ad000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51f328b8ea069a6685c16dd6b3326f9054a8cb85c90e775f10d91f2d04fd2c14
                    • Instruction ID: e1cba67611fdcf878388a8f8c64e2e3a82eed47d2918e6634d0c32d516fa2097
                    • Opcode Fuzzy Hash: 51f328b8ea069a6685c16dd6b3326f9054a8cb85c90e775f10d91f2d04fd2c14
                    • Instruction Fuzzy Hash: 12214270294208DFCB15CF68D980B22BF65FB88314F60C56DDA0A0B656C37AD407CA61
                    Function 012AD1D4 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2114463144.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_12ad000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f03da880647809c9551ba23f32aa683f7e57c174ff2363d8015f57d57ad58b9
                    • Instruction ID: f8b53a4d69889eefd0c34c4ce7ac669c0f0305aa44d44403f2857d8e50cbeb2b
                    • Opcode Fuzzy Hash: 0f03da880647809c9551ba23f32aa683f7e57c174ff2363d8015f57d57ad58b9
                    • Instruction Fuzzy Hash: 0B213471524208EFDB05DFA8C9C0F26BBA5FB88324F60C56DE9094B657C37AD806CA61
                    Function 012AD006 Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2114463144.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_12ad000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d09639082974e5a2953d3a1c152fb9c0ed93a2755cc700b14b723c9155de40e1
                    • Instruction ID: 8eb21d45d12f511caf1788be9aaa38482a261162f43933a735e7a290b6e6a84d
                    • Opcode Fuzzy Hash: d09639082974e5a2953d3a1c152fb9c0ed93a2755cc700b14b723c9155de40e1
                    • Instruction Fuzzy Hash: 7921B0714483849FCB03CF24D994711BF71EB4A314F28C5DAD9898F6A7C33A980ACB62
                    Function 012AD1CF Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2114463144.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_12ad000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                    • Instruction ID: a1bbda95abb483ee3fa5c0345378d7f72bd11708e88772c7f7b62f96a268828b
                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                    • Instruction Fuzzy Hash: 4A11BB75504284DFDB02CF54C5C4B15BFA1FB84324F24C6A9D9494B6A7C33AD40ACB62

                    Non-executed Functions

                    Function 0770EFD0 Relevance: .4, Instructions: 389COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1ead62e01fdab88730c6562c53bbcb9ff2ec37a3f3fd3b53bdb64fd0cee766df
                    • Instruction ID: 7c23a635d7569739f4714d73ac71602bdb813ce6e28e09ce330f1014fed8b822
                    • Opcode Fuzzy Hash: 1ead62e01fdab88730c6562c53bbcb9ff2ec37a3f3fd3b53bdb64fd0cee766df
                    • Instruction Fuzzy Hash: 22E1ACB1A01306CFDB29EB75C454BAEB7F6AF89280F14486AD146DB2D4CB35E901CB91
                    Function 03020040 Relevance: .3, Instructions: 315COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 41051464c5c65287e86c38d0089a240c8bcf42063b3dec12561f07bc7dc6a2eb
                    • Instruction ID: 0976334d0755c90fda9bf4c5f36762233f31759309c7be1fa6c75189f52306c6
                    • Opcode Fuzzy Hash: 41051464c5c65287e86c38d0089a240c8bcf42063b3dec12561f07bc7dc6a2eb
                    • Instruction Fuzzy Hash: 051285F0C897498AD710CF65E94C189BAB1FB41398BD04B09D2B27F2E5DBB4156ACF44
                    Function 07708680 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c7a321be3b33cfe1ca33766615ede567407895069a16a681dfefe4229c14e994
                    • Instruction ID: 35b5e2796187cb19a0dddb8d69db2e607a1f1128ba3c16daba6a05f1bfddb211
                    • Opcode Fuzzy Hash: c7a321be3b33cfe1ca33766615ede567407895069a16a681dfefe4229c14e994
                    • Instruction Fuzzy Hash: 3AE1D7B4E10119CFCB14DFA9C5809AEBBF2FF89305F248169D415AB396D731A981CFA1
                    Function 0770B0A0 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5edf14741642ffee24e03e158fea457381fc7dbb1f7088d0ad0f7bbd17fcda14
                    • Instruction ID: 5fd605a7ac80fd5b696009fb8436ec2ebf476d47b504a6d6343f587aab1c7102
                    • Opcode Fuzzy Hash: 5edf14741642ffee24e03e158fea457381fc7dbb1f7088d0ad0f7bbd17fcda14
                    • Instruction Fuzzy Hash: C8E1D9B4E10119CFCB14DFA9C9809AEBBF2FF49305F248169D415AB396D731AA41CFA1
                    Function 07708EF0 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6985fca246e144aabd3077d4cca439da76c1e4a54c3cfe8daa1678afd15db4dd
                    • Instruction ID: 80bd05eb8fb4b9a12caf63816034439e59ea3eafeed76b012180a63181375fef
                    • Opcode Fuzzy Hash: 6985fca246e144aabd3077d4cca439da76c1e4a54c3cfe8daa1678afd15db4dd
                    • Instruction Fuzzy Hash: 87E1E7B4E10219CFCB14CFA9C5809AEBBF2FB89305F248169D515AB396D731A941CFA1
                    Function 0770AC68 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96c64f9486e1feb98d7cbe43a0e54313196f10fdbe3aaf3255ebb653325a66be
                    • Instruction ID: 2a8e49112e3f16a66f61fc8005a08da5d5e2a562eefd2472c412f8aa3ed82483
                    • Opcode Fuzzy Hash: 96c64f9486e1feb98d7cbe43a0e54313196f10fdbe3aaf3255ebb653325a66be
                    • Instruction Fuzzy Hash: 00E1D9B4E10219CFCB14CFA9C5809AEBBF2FF89345F248169D415AB396D731A941CFA1
                    Function 07708AB8 Relevance: .3, Instructions: 312COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad4b58f286998a13c29405c4d2717e912d0713b6c2ba26f5d52dcb46df341458
                    • Instruction ID: 9d0c8d7e007c986962bad82b3e9a664860c05f7e2f715c2e165190f31eba8e18
                    • Opcode Fuzzy Hash: ad4b58f286998a13c29405c4d2717e912d0713b6c2ba26f5d52dcb46df341458
                    • Instruction Fuzzy Hash: 98E1E9B4E10219CFCB14CFA9C5809AEBBF2FF89305F248169D415AB396D735A941CFA1
                    Function 0302EF28 Relevance: .3, Instructions: 271COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c69af23ff8bc0d98541dfbeb29a1c54035ec326eb93fefabd7405e3939687c52
                    • Instruction ID: c74e2559582fc98afe55c9fa3e7063ebd0021299d706375dd5569bfd9b5b5959
                    • Opcode Fuzzy Hash: c69af23ff8bc0d98541dfbeb29a1c54035ec326eb93fefabd7405e3939687c52
                    • Instruction Fuzzy Hash: 45D1E731C2065ACACB11EF65D950A99B7B5FFD6300F10C79AD1093B265EB74AEC8CB81
                    Function 0302EF38 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d48e592eadf83c3c50be8ceb5e34ce07e63427ed2e7c7b59e00b5a8b02da9e0
                    • Instruction ID: cac9fa30f451f6528d18d3e0f29410eacb00e8cf3071e3065774094263224569
                    • Opcode Fuzzy Hash: 8d48e592eadf83c3c50be8ceb5e34ce07e63427ed2e7c7b59e00b5a8b02da9e0
                    • Instruction Fuzzy Hash: 49D1D731C2065ACACB11EF65D950A99B7B5FFD6300F10C79AD10937265EB74AEC8CB81
                    Function 0174D3A4 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115117102.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_1740000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 84ee4e092704ed883339dab1774cb614ebcb51cbb94b160128a6102cdec5158e
                    • Instruction ID: 49154043fc3b2c6992fcd93c9fb2d46c205c7e964f5eb3cfa5d1bce2e9a315c8
                    • Opcode Fuzzy Hash: 84ee4e092704ed883339dab1774cb614ebcb51cbb94b160128a6102cdec5158e
                    • Instruction Fuzzy Hash: D8A16D36E0021ACFCF15DFB8C84499EFBB2FF85300B15856AE905AB265DB75E916CB40
                    Function 03020006 Relevance: .2, Instructions: 244COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2115703581.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3020000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e526cb1b47b7b0c1c7b64ca76f098aec200b6227026b08fc85660912d7c05b10
                    • Instruction ID: 79f6458ea1543c03b5648504a5bf64fb5206f3dc273cbe233543a5d4588669d9
                    • Opcode Fuzzy Hash: e526cb1b47b7b0c1c7b64ca76f098aec200b6227026b08fc85660912d7c05b10
                    • Instruction Fuzzy Hash: 3DD108B0C8574A8BD711CF74E94C189BBB2FB85394B944A09D1B27F2E1DBB414AACF44
                    Function 0770B091 Relevance: .1, Instructions: 140COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a861abed9084f74072578c0f34887ef05b1c73f90246a50e06bb7a4315904d0a
                    • Instruction ID: f1c1adbea72bd8a1f2362aade5712e64f565dcd02f6e2fef35c4f0df80e8e550
                    • Opcode Fuzzy Hash: a861abed9084f74072578c0f34887ef05b1c73f90246a50e06bb7a4315904d0a
                    • Instruction Fuzzy Hash: D8511DB0E102598FDB14CFA9D9805AEFBF2FF89305F248569D418AB356D7309A41CFA1
                    Function 07708EE0 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2118199579.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7700000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1973689be5c5ba61e0051f7a9321212b5a8362c1f949dc0f3b96da5199287740
                    • Instruction ID: 1e185ebb9cc7c3ebb2ca59c788bcd1c8632971574d061367ac34caca0e09a9c9
                    • Opcode Fuzzy Hash: 1973689be5c5ba61e0051f7a9321212b5a8362c1f949dc0f3b96da5199287740
                    • Instruction Fuzzy Hash: 42511BB0E1021A8FCB14CFA9C5805AEFBF2FF89344F248169D418A7356D735AA41CFA1

                    Execution Graph

                    Execution Coverage:15.4%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:3
                    Total number of Limit Nodes:0
                    execution_graph 7035 11c8d98 7036 11c8dde GlobalMemoryStatusEx 7035->7036 7037 11c8e0e 7036->7037

                    Executed Functions

                    Function 011C8D52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 313 11c8d52-11c8d79 316 11c8d7f-11c8dd6 313->316 317 11c8d7b-11c8d7e 313->317 320 11c8dde-11c8e0c GlobalMemoryStatusEx 316->320 321 11c8e0e-11c8e14 320->321 322 11c8e15-11c8e3d 320->322 321->322
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32 ref: 011C8DFF
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.4518339507.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_11c0000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID: z{tq
                    • API String ID: 1890195054-288613645
                    • Opcode ID: 4fe2afd981e63f46bd00eae50710271b1148f48836b7b11e8eb2a8719f2d3eef
                    • Instruction ID: 9beca06d18f06844d76e55f8551b856743be684fac235e4b8e30c386fae44136
                    • Opcode Fuzzy Hash: 4fe2afd981e63f46bd00eae50710271b1148f48836b7b11e8eb2a8719f2d3eef
                    • Instruction Fuzzy Hash: D921CA71C042999FCB14CFAAC4446DEFFF4EF49310F1489AAD848A7251D738A940CFA1
                    Function 011C8D98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 325 11c8d98-11c8e0c GlobalMemoryStatusEx 327 11c8e0e-11c8e14 325->327 328 11c8e15-11c8e3d 325->328 327->328
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32 ref: 011C8DFF
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.4518339507.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_11c0000_lrw6UNGsUC.jbxd
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID: z{tq
                    • API String ID: 1890195054-288613645
                    • Opcode ID: 2d8e7a58a39c82476f3580458bc0986cc1d99866f139e93630d25681305a87f5
                    • Instruction ID: 3408291f3629a7d86a994085dad9463bde6d5e733032de066d60dd9aa0f2f788
                    • Opcode Fuzzy Hash: 2d8e7a58a39c82476f3580458bc0986cc1d99866f139e93630d25681305a87f5
                    • Instruction Fuzzy Hash: BA111FB1C006699BCB10DF9AC544BDEFBF4EF48320F10812AE918A7240D378A940CFE5