Create Interactive Tour

Windows Analysis Report
1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe

Overview

General Information

Sample name:1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe
Analysis ID:1598376
MD5:e8aecfbddc0287bb9de4d31bbf6ce56f
SHA1:ab7879f37bc502d63f7db057947a8becba585735
SHA256:819c36e3518ef3c8c926c4aad1c10786fca2a1f041d5bede1dfea9ac2af29fba
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
{
  "C2 url": [
    "81.161.238.16"
  ],
  "Port": 1888,
  "Aes key": "<123456789>",
  "SPL": "<Xwormmm>",
  "Install file": "USB.exe"
}
SourceRuleDescriptionAuthorStrings
1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6417:$str01: $VB$Local_Port
    • 0x6408:$str02: $VB$Local_Host
    • 0x670c:$str03: get_Jpeg
    • 0x60c7:$str04: get_ServicePack
    • 0x7152:$str05: Select * from AntivirusProduct
    • 0x7350:$str06: PCRestart
    • 0x7364:$str07: shutdown.exe /f /r /t 0
    • 0x7416:$str08: StopReport
    • 0x73ec:$str09: StopDDos
    • 0x74ee:$str10: sendPlugin
    • 0x769a:$str12: -ExecutionPolicy Bypass -File "
    • 0x77c3:$str13: Content-length: 5235
    1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7acd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7be2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76de:$cnc4: POST / HTTP/1.1
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7830:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74de:$cnc4: POST / HTTP/1.1
      Process Memory Space: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe PID: 7400JoeSecurity_XWormYara detected XWormJoe Security
        SourceRuleDescriptionAuthorStrings
        0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x6417:$str01: $VB$Local_Port
          • 0x6408:$str02: $VB$Local_Host
          • 0x670c:$str03: get_Jpeg
          • 0x60c7:$str04: get_ServicePack
          • 0x7152:$str05: Select * from AntivirusProduct
          • 0x7350:$str06: PCRestart
          • 0x7364:$str07: shutdown.exe /f /r /t 0
          • 0x7416:$str08: StopReport
          • 0x73ec:$str09: StopDDos
          • 0x74ee:$str10: sendPlugin
          • 0x769a:$str12: -ExecutionPolicy Bypass -File "
          • 0x77c3:$str13: Content-length: 5235
          0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x7a30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x7acd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x7be2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x76de:$cnc4: POST / HTTP/1.1
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-24T08:00:02.256278+010028559241Malware Command and Control Activity Detected192.168.2.94975281.161.238.161888TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeAvira: detected
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["81.161.238.16"], "Port": 1888, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeVirustotal: Detection: 68%Perma Link
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeReversingLabs: Detection: 84%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeJoe Sandbox ML: detected
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeString decryptor: 81.161.238.16
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeString decryptor: 1888
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeString decryptor: <123456789>
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeString decryptor: <Xwormmm>
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeString decryptor: 09-01-25
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeString decryptor: USB.exe
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: lib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2339160136.000000001BB50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdbP source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Windows.Forms.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: .pdb, source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Configuration.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdb` source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: 0C:\Windows\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.PDB source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E64000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E13000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E13000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbMZ@ source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Drawing.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Management.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Core.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: b.pdb# source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2339160136.000000001BB50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbL source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E13000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.9:49752 -> 81.161.238.16:1888
          Source: Malware configuration extractorURLs: 81.161.238.16
          Source: global trafficTCP traffic: 192.168.2.9:49752 -> 81.161.238.16:1888
          Source: Joe Sandbox ViewASN Name: NETIKOM-ASIT NETIKOM-ASIT
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: unknownTCP traffic detected without corresponding DNS query: 81.161.238.16
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

          System Summary

          barindex
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeCode function: 0_2_00007FF887CB74D20_2_00007FF887CB74D2
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeCode function: 0_2_00007FF887CB67260_2_00007FF887CB6726
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7400 -s 1516
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000000.1365320117.000000000084C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKIOL.exe4 vs 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeBinary or memory string: OriginalFilenameKIOL.exe4 vs 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@0/1
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMutant created: NULL
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\YnKynSF972dJUnvl
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7400
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6e6dedfb-1d96-4fff-9b7b-be98c96e6af2Jump to behavior
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeVirustotal: Detection: 68%
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeReversingLabs: Detection: 84%
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile read: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe "C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe"
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7400 -s 1516
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: lib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2339160136.000000001BB50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdbP source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Windows.Forms.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: .pdb, source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Configuration.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdb` source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: 0C:\Windows\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.PDB source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E64000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E13000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E13000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbMZ@ source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Drawing.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Management.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Core.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: b.pdb# source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2339160136.000000001BB50000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbL source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2336671495.0000000000E13000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2338976688.000000001B658000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER5CCA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER5CCA.tmp.dmp.7.dr

          Data Obfuscation

          barindex
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, Messages.cs.Net Code: Memory
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeCode function: 0_2_00007FF887CB29FA push eax; iretd 0_2_00007FF887CB2A21
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeCode function: 0_2_00007FF887CB2962 pushad ; retf 0_2_00007FF887CB29E1
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeCode function: 0_2_00007FF887CB28FA pushad ; retf 0_2_00007FF887CB29E1
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMemory allocated: D80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMemory allocated: 1AB80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWindow / User API: threadDelayed 8812Jump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWindow / User API: threadDelayed 1024Jump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe TID: 7528Thread sleep time: -11068046444225724s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe TID: 7532Thread sleep count: 8812 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe TID: 7532Thread sleep count: 1024 > 30Jump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Amcache.hve.7.drBinary or memory string: VMware
          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2339160136.000000001BB50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Amcache.hve.7.drBinary or memory string: vmci.sys
          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.7.drBinary or memory string: VMware20,1
          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
          Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002E6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002E6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002E6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002E6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002E6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2D
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2339160136.000000001BB50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe PID: 7400, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe.840000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe PID: 7400, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation
          1
          DLL Side-Loading
          2
          Process Injection
          1
          Disable or Modify Tools
          1
          Input Capture
          131
          Security Software Discovery
          Remote Services1
          Input Capture
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          141
          Virtualization/Sandbox Evasion
          LSASS Memory2
          Process Discovery
          Remote Desktop Protocol11
          Archive Collected Data
          1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Process Injection
          Security Account Manager141
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information
          LSA Secrets13
          System Information Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Software Packing
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1598376 Sample: 1737701404d7e2db9bd85949651... Startdate: 24/01/2025 Architecture: WINDOWS Score: 100 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 10 other signatures 2->20 6 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe 2 2->6         started        process3 dnsIp4 12 81.161.238.16, 1888, 49752, 49884 NETIKOM-ASIT Germany 6->12 22 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->22 10 WerFault.exe 19 16 6->10         started        signatures5 process6

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe68%VirustotalBrowse
          1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
          1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe100%AviraTR/Spy.Gen
          1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          81.161.238.160%Avira URL Cloudsafe

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          13.107.246.45
          truefalse
            high
            NameMaliciousAntivirus DetectionReputation
            81.161.238.16true
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.7.drfalse
              high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe, 00000000.00000002.2337305908.0000000002B81000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                81.161.238.16
                unknownGermany
                207146NETIKOM-ASITtrue
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1598376
                Start date and time:2025-01-24 07:58:52 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 21s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@2/5@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 3
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.189.173.20, 13.107.246.45, 4.245.163.56, 40.126.32.140
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtSetInformationFile calls found.
                TimeTypeDescription
                01:59:50API Interceptor1113468x Sleep call for process: 1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe modified
                02:01:23API Interceptor1x Sleep call for process: WerFault.exe modified
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                81.161.238.1617364115297f61f586fff2f9f61c6de189b58a026f1074b956f1ca31f9ba7278e0731ae98d661.dat-decoded.exeGet hashmaliciousXWormBrowse
                  17363365244ca79501090c483ecbbe8e49eacb86ddae8a21a78f441e6c87d9fa2b56b68bca155.dat-decoded.exeGet hashmaliciousXWormBrowse
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    s-part-0017.t-0009.t-msedge.netinvoice.exeGet hashmaliciousFormBookBrowse
                    • 13.107.246.45
                    https://www.flugger.plGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    bvb.exeGet hashmaliciousMicroClipBrowse
                    • 13.107.246.45
                    Xworm.exeGet hashmaliciousXRed, XWormBrowse
                    • 13.107.246.45
                    zP7de9JgdQ.exeGet hashmaliciousXRedBrowse
                    • 13.107.246.45
                    2FA Authentication Secure8886a97ef76ac27b09e7a5681cda7794 - RefID295251.htmGet hashmaliciousHTMLPhisherBrowse
                    • 13.107.246.45
                    uwM8VlcQK2.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    37WlRQmMCY.exeGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    http://app-probonio-de.trusted-mail.live/0rp2sch94q0b404yGet hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    https://gemininhlogin.webflow.io/Get hashmaliciousUnknownBrowse
                    • 13.107.246.45
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    NETIKOM-ASIT17364115297f61f586fff2f9f61c6de189b58a026f1074b956f1ca31f9ba7278e0731ae98d661.dat-decoded.exeGet hashmaliciousXWormBrowse
                    • 81.161.238.16
                    17363365244ca79501090c483ecbbe8e49eacb86ddae8a21a78f441e6c87d9fa2b56b68bca155.dat-decoded.exeGet hashmaliciousXWormBrowse
                    • 81.161.238.16
                    file.exeGet hashmaliciousAmadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                    • 81.161.238.172
                    file.exeGet hashmaliciousUnknownBrowse
                    • 81.161.238.172
                    Scvi1cE64H.exeGet hashmaliciousXWormBrowse
                    • 81.161.238.249
                    n5QCsKJ0CP.exeGet hashmaliciousRedLineBrowse
                    • 81.161.238.38
                    wyOEIjmWs8.exeGet hashmaliciousRemcosBrowse
                    • 81.161.238.174
                    17308799445bb8287de7df48f59c1bda103369e3b3f101fa2921985dedc6b2bd9077b91ee0277.dat-decoded.exeGet hashmaliciousAsyncRAT, XWormBrowse
                    • 81.161.238.107
                    https://81.161.238.66Get hashmaliciousXmrigBrowse
                    • 81.161.238.66
                    KMqGoudziq.elfGet hashmaliciousUnknownBrowse
                    • 81.161.235.176
                    No context
                    No context
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.2833941302962286
                    Encrypted:false
                    SSDEEP:192:Tv6a0JuV53081iHysva2z8iyrHltlFwnzuiFfZ24lO8E/:76a0JuVa81ipaY8iYVgzuiFfY4lO88
                    MD5:7554D36EABBC09C44F154F52E20B099F
                    SHA1:E43921CAB6C6F85604368ABB8525D929B0FFF241
                    SHA-256:BDFF4EBA3312BE938BDF2EBDA9636B4D201BC582E487DD53710C562FC6F187F8
                    SHA-512:5281D8FAE635151C2EC400F7B4C5B455690FA038101764F232CA70FE8421D63078B83D53140E64DA9D2CA8C7B051353F52DAA0D76A10D4CF8CA272A89D4F379F
                    Malicious:false
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.1.7.5.6.6.6.6.3.8.6.3.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.1.7.5.6.6.7.5.2.9.2.5.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.7.6.2.2.d.2.-.b.8.5.c.-.4.5.8.a.-.b.c.d.c.-.8.5.1.1.8.0.f.6.7.8.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.7.a.c.8.9.a.-.6.b.1.e.-.4.5.e.9.-.9.4.6.2.-.2.6.2.3.c.7.5.b.a.0.2.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.1.7.3.7.7.0.1.4.0.4.d.7.e.2.d.b.9.b.d.8.5.9.4.9.6.5.1.d.7.7.1.c.f.2.c.7.1.b.3.5.c.7.c.5.3.a.8.0.3.1.3.7.9.8.4.6.b.c.9.b.f.6.0.7.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.K.I.O.L...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.8.-.0.0.0.1.-.0.0.1.4.-.a.9.b.f.-.b.2.8.d.2.d.6.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.8.b.0.c.5.5.4.4.b.7.4.6.5.a.d.1.e.a.5.0.7.3.1.2.0.7.e.e.9.3.f.0.0.0.0.0.0.0.0.!.0.0.0.0.a.b.7.8.7.9.
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Mini DuMP crash report, 16 streams, Fri Jan 24 07:01:06 2025, 0x1205a4 type
                    Category:dropped
                    Size (bytes):503505
                    Entropy (8bit):3.221259364806333
                    Encrypted:false
                    SSDEEP:3072:ulVaE2hlPlg4xsMKtcSIpQFAtlRO51CCqhyD3+v+0xct/d:8cNgxM2C7tn2qhS3Q1Y
                    MD5:DFF368DDF1C69E4CE1D231BF8A26BF52
                    SHA1:4ED47CA868FE25F136F8DA5DBA9B4733FF2E68E8
                    SHA-256:0714E364AF5642DE43F7AA832D81E0575AEA1F7666D625891E91700B51799746
                    SHA-512:4E479E116D8AB70606B3147D4F919851DCC390393F7EBC67EA97DDFE8152BC7FD55A117CC5DF891F86D45BB133C450D4403AF69CEEB373886AFDC5D865EF638D
                    Malicious:false
                    Reputation:low
                    Preview:MDMP..a..... ........:.g........................H...........$...<&......$...`&......D=..D...........l.......8...........T............;..9s...........4..........p6..............................................................................eJ.......7......Lw......................T...........b:.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):9064
                    Entropy (8bit):3.7176193533379047
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJ1nr6YcDKfjgmfZh8xprb89btbUHftHjm:R6lXJVr6YtLgmf/RtbMf96
                    MD5:8D20B2C5F767F01277384A981484D14D
                    SHA1:E745998E0299AAEC12D0FDC1D04D302532A044CB
                    SHA-256:858B1C5827FBBB92559C1EAF4637D796BDF140F1808A3369D39A6BFD93C812E0
                    SHA-512:D7C9F343A9709E2D2924604E282F7B452407D117D3D52D245C87A89B834B5D477D0E9D3FF0ADA9D41B64E45D55C13276951D7AE3ED6F674A92C5F6E7C3720FD9
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.0.<./.P.i.
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5015
                    Entropy (8bit):4.587484092718318
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsiJg771I94LWpW8VYOYm8M4JX1FMyq8vWjmNK8Dd:uIjfwI7b67VeJsW2mNK8Dd
                    MD5:908A87C763DF26AD70E28E5FB0FFC98E
                    SHA1:1DED39902F4D52ACF4FBD8AB6DB9E96DCC1730FB
                    SHA-256:48C0F1BD667188247989438B3EEF883050FC8EA1A506AF3E8E380BEC4D0E345E
                    SHA-512:8408C93B652EA0C98F76D07D2931775FB4946AE48D114B6E89DB050E1290B7F3588EF5B67B14AE6CA965067D63CE879FA8B054A0F18D652AEA68985426924C07
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="689643" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.394606929166952
                    Encrypted:false
                    SSDEEP:6144:3l4fiJoH0ncNXiUjt10qTG/gaocYGBoaUMMhA2NX4WABlBuNqROBSqa:14vFTMYQUMM6VFYcRU
                    MD5:0979BEF1DBE7A3C17B0852E03A52A558
                    SHA1:05B0D909BE2FF01B57D9AE66E6B691B5DB9D1EF1
                    SHA-256:64528E034C2580FF8B7368C290319BE361C9BB4C98A207DEC64BE7FFE2E75360
                    SHA-512:E8BA54128C929F6C8D8B87DDF98D854E4FFB1EC7325B1102CFC1DA1579FFD1C9F840B13E0A58BE051A42B44876A878FCD80B5D363E2D675EFAC26878ACDCF107
                    Malicious:false
                    Reputation:low
                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..?.-n................................................................................................................................................................................................................................................................................................................................................(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.609964104913814
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe
                    File size:36'864 bytes
                    MD5:e8aecfbddc0287bb9de4d31bbf6ce56f
                    SHA1:ab7879f37bc502d63f7db057947a8becba585735
                    SHA256:819c36e3518ef3c8c926c4aad1c10786fca2a1f041d5bede1dfea9ac2af29fba
                    SHA512:e39493dac1b9bbd5aac188bc93d4447d046977a875da8f70cb6c8bc4f7733f14f8277f5244fac62ebde8edff765ad020bfeac5d01beebc8d157ea36f5bed0ac4
                    SSDEEP:768:8L13A5Uno9RfHWa2BLGeo8icHyEWbFb9YNOMhUQXv9:qxA5Uno9JHWX6eNicHyESFb9YNOMO69
                    TLSH:8FF24C48BBA04216D9ED6BF5A97372020270E613DD17EB4E4CD489DB6F23BC48D013EA
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g................................. ........@.. ....................................@................................
                    Icon Hash:00928e8e8686b000
                    Entrypoint:0x40a5de
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x677FCB69 [Thu Jan 9 13:13:13 2025 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa5900x4b.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x85e40x86000d78d9b86d9eea0b27fee5f4f4b5b981False0.49886310634328357data5.7462073832525515IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xc0000x4d00x600fa7454f64dc096c700e9ab0e3d870673False0.3743489583333333data3.7032524543400984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xe0000xc0x2000a3a083968c42d8366b2de0e8564a094False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0xc0a00x23cdata0.4737762237762238
                    RT_MANIFEST0xc2e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                    DLLImport
                    mscoree.dll_CorExeMain

                    Download Network PCAP: filteredfull

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2025-01-24T08:00:02.256278+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.94975281.161.238.161888TCP
                    TimestampSource PortDest PortSource IPDest IP
                    Jan 24, 2025 07:59:51.289974928 CET497521888192.168.2.981.161.238.16
                    Jan 24, 2025 07:59:51.294903994 CET18884975281.161.238.16192.168.2.9
                    Jan 24, 2025 07:59:51.295018911 CET497521888192.168.2.981.161.238.16
                    Jan 24, 2025 07:59:51.463182926 CET497521888192.168.2.981.161.238.16
                    Jan 24, 2025 07:59:51.469623089 CET18884975281.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:02.256278038 CET497521888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:02.262253046 CET18884975281.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:12.668418884 CET18884975281.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:12.670245886 CET497521888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:12.734853029 CET497521888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:12.735646963 CET498841888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:12.744113922 CET18884975281.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:12.744638920 CET18884988481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:12.744735956 CET498841888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:12.791599989 CET498841888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:12.799628019 CET18884988481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:23.485352039 CET498841888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:23.490242958 CET18884988481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:34.120194912 CET18884988481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:34.120331049 CET498841888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:35.047224045 CET498841888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:35.047955990 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:35.053317070 CET18884988481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:35.054337025 CET18884997481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:35.054439068 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:35.086122036 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:35.090969086 CET18884997481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:49.579114914 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:49.584203959 CET18884997481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:55.266355038 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:55.271188021 CET18884997481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:56.454400063 CET18884997481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:56.454497099 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:58.516387939 CET499741888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:58.517693996 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:58.521192074 CET18884997481.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:58.522541046 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:00:58.522686958 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:58.570091963 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:00:58.575171947 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:04.141372919 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:04.146393061 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:04.234966040 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:04.239908934 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:19.887149096 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:19.887334108 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:24.758677006 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:24.763509989 CET499761888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:24.763536930 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:24.764786959 CET499881888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:24.768307924 CET18884997681.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:24.769869089 CET18884998881.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:24.769949913 CET499881888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:24.822947025 CET499881888192.168.2.981.161.238.16
                    Jan 24, 2025 08:01:24.827980042 CET18884998881.161.238.16192.168.2.9
                    Jan 24, 2025 08:01:25.193126917 CET499881888192.168.2.981.161.238.16
                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jan 24, 2025 07:59:43.720897913 CET1.1.1.1192.168.2.90x4dcNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                    Jan 24, 2025 07:59:43.720897913 CET1.1.1.1192.168.2.90x4dcNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                    Target ID:0
                    Start time:01:59:46
                    Start date:24/01/2025
                    Path:C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c745814b60686.dat-decoded.exe"
                    Imagebase:0x840000
                    File size:36'864 bytes
                    MD5 hash:E8AECFBDDC0287BB9DE4D31BBF6CE56F
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1365302764.0000000000842000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    Target ID:7
                    Start time:02:01:06
                    Start date:24/01/2025
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7400 -s 1516
                    Imagebase:0x7ff6daac0000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    Execution Graph

                    Execution Coverage

                    Dynamic/Packed Code Coverage

                    Signature Coverage

                    Execution Coverage:20%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:3
                    Total number of Limit Nodes:0
                    Show Legend
                    Hide Nodes/Edges
                    execution_graph 3287 7ff887cb1bf8 3289 7ff887cb1c01 SetWindowsHookExW 3287->3289 3290 7ff887cb1cd1 3289->3290

                    Executed Functions

                    Memory Dump Source
                    • Source File: 00000000.00000002.2339834915.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887cb0000_1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c74581.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cc2d3820d69b599189bf641114e2bab205e829e365c3556a4e4a8413320c36f2
                    • Instruction ID: 17ed8e7720d00e2233f30aac799eed67e6b893740c67d48c0dcc63811c6462b7
                    • Opcode Fuzzy Hash: cc2d3820d69b599189bf641114e2bab205e829e365c3556a4e4a8413320c36f2
                    • Instruction Fuzzy Hash: 2BF18230908A8D8FEBA8DF28C8557E977E2FF55350F04426EE84DC7295DB389945CB82
                    Memory Dump Source
                    • Source File: 00000000.00000002.2339834915.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887cb0000_1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c74581.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4e8ad6836b5a8671a85cbc2f5447dc3db285228d3315ccc4525a89a94b9bd0db
                    • Instruction ID: 09470262f8c5e3fa3c5a24d98142129b8d2ebdc61c6b56a3552174b783a51797
                    • Opcode Fuzzy Hash: 4e8ad6836b5a8671a85cbc2f5447dc3db285228d3315ccc4525a89a94b9bd0db
                    • Instruction Fuzzy Hash: F9E1A230908A4D8FEBA9DF28C8557ED77E2FB54350F04426EE84DC7291DB78A945CB82

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 261 7ff887cb1bf8-7ff887cb1bff 262 7ff887cb1c01-7ff887cb1c09 261->262 263 7ff887cb1c0a-7ff887cb1c7d 261->263 262->263 266 7ff887cb1c83-7ff887cb1c88 263->266 267 7ff887cb1d09-7ff887cb1d0d 263->267 269 7ff887cb1c8f-7ff887cb1c90 266->269 268 7ff887cb1c92-7ff887cb1ccf SetWindowsHookExW 267->268 270 7ff887cb1cd1 268->270 271 7ff887cb1cd7-7ff887cb1d08 268->271 269->268 270->271
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2339834915.00007FF887CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887cb0000_1737701404d7e2db9bd85949651d771cf2c71b35c7c53a8031379846bc9bf607c74581.jbxd
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 2bb4d02d6467b29af7d2ae4abd7663d65c93e7e9853b8179ef84e644d009d095
                    • Instruction ID: 88141804925feb451b820891481fc17e21312759acc2f6161e3abcbd88e5730b
                    • Opcode Fuzzy Hash: 2bb4d02d6467b29af7d2ae4abd7663d65c93e7e9853b8179ef84e644d009d095
                    • Instruction Fuzzy Hash: A241F83091CA594FD718EB68D80A6F9BBE1FB55361F10423EE05DD3192CA64A812C7C1