Edit tour

Windows Analysis Report
Xworm V5.6.exe

Overview

General Information

Sample name:	Xworm V5.6.exe
Analysis ID:	1532861
MD5:	db51a102eab752762748a2dec8f7f67a
SHA1:	194688ec1511b83063f7b0167ae250764b7591d1
SHA256:	93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected RUNPE

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains very large strings

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Xworm V5.6.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\Xworm V5.6.exe" MD5: DB51A102EAB752762748A2DEC8F7F67A)

WerFault.exe (PID: 5744 cmdline: C:\Windows\system32\WerFault.exe -u -p 6780 -s 1360 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Xworm V5.6.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
Xworm V5.6.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Xworm V5.6.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Xworm V5.6.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Xworm V5.6.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Xworm V5.6.exe	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Xworm V5.6.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9836f7:$s6: VirtualBox 0x98351f:$s8: Win32_ComputerSystem 0x991fc2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x992013:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9920a0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x989f4a:$cnc4: POST / HTTP/1.1
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f4f7:$s6: VirtualBox 0x7f31f:$s8: Win32_ComputerSystem 0x8ddc2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8de13:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8dea0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x85d4a:$cnc4: POST / HTTP/1.1
00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 6780	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 6780	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 6780	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 6780	JoeSecurity_RUNPE	Yara detected RUNPE	Joe Security
Process Memory Space: Xworm V5.6.exe PID: 6780	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6a42d0:$s6: VirtualBox 0x6a40f8:$s8: Win32_ComputerSystem 0x6b002d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b007e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6b010b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6a9741:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAIAAABnsVYUAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAKdAZJREFUeJzsneuS2zjPredGpiMn+X7uN31y5v7vbMtNmwYPC8IiQVt2swo1ldbIEokTwUcS+c/y+U7J4eODkuXjLcjh8/3n8WOV9d8/3l/XP6PEc8JplPz6OEl5XGn/8v4e5NrId9ivtamy8aG168EgscHx4OHzJJUeJZc9RgmXLYXVAyuhbbJ3tXZW7JjJz8/PoMAfb29RFH3S0tHHUqXRTNde4/vKbl4tbomR9bJRPl8LKZrq1N/MvmV8KfZFsto3mDgGTjCxxV49cQ0F+eclqDP59fHRIJXrfwIBfXx5+3OKjuPHr7+fIemdz2HzZ5qmYuLKMtj1COsnQGQWOrf87fUkbPtRjGRu+ZXJf76//fioy8v76yrh3zLKVvWef/735KhBCdFjKzHllZdIP0QyvD1nRxXKP76u8uPzz0kSJb+vktlI5tL1v+c0eDHB8vnOxgvdfjaHOOjqJC/vq8uddRL+r8yEhBR+niXnWwvpt3Q+AXUCe50wRsvfnjMSqX9Zqpkak9o6jncvr6+hsIkxe1YR9vP42/CTn+t/33i7Axtt9jd2ecNeOD9nEirtmIR/pHaR40WSsYEdoTkG50OkhzBMV0Y9p7hDcaHXkMtFmZnO7dePdW85VanbBbQHjcv3she0IzkfLK2c6arwUrWed2p/KT9FKbv+OyST5fU1NjILea98zsrPtR778qIQ/i9ptVAKspf0sR7+gKQczfXxHZZwhtqmp/5Bes7gQz6Ltwu+dZWToDHIq74NRddJUcfVkT7Xf/w4DTpvaJz99+31VKEdP3/+Pa6y/mP9MxysCsqZXv7P1j9wns7f91CMxfp9XfqOZtCn1LRWO29vIVldjxv4STLuXIqu6EuWOrziKoIGhHNkbT9uPErqxtRYJRNQ8jP0Kxy81UBG9QC8LylVN1Z87B/6BqTBZGueDECXhUvsV6VHlYufALTXhI2VWLXkQ9eWHfMCd2cAulRgOanYssv1vvHkTQBdVktPA6DLRKbZ1ymuoeCE61IAeQHoEFkyabTp/14AuuxXyLQsYLUPVDqARhOSCKBPqr4AaC2HDPYfVj/s9en2TABN6+ojTHuuk5YeE5AF2XBh/f9O7aza3QVAG/Xz0ADaHjJKfs4k5P8qDM3emUhyNbAjjOvB+ZByPMc4RfUz1P9gAA3tslXfTgB9n3q+yDwhKcVG7gRAB7+Nj6B0+rzsAEBf0UzTA+YJoH2FBdDx/ACg4/nfEEAreUxvZ1eXzc5ziQWSadb87aEB9DVFFxB5AugBBUeaHx8OQKPAjgczvgl7pF7fnrC8JFYt+dBFtnNvABpNwGCC3rpvvJQOoOUbmgmGfnAAnSW1CaCNADrL7yHjNQCUewHo7COPteW/P08iwzwL+aEAGo1NJYCuvJ5/Q/95FAB9lsQo+ZlSb48CoHv0DGO8x15kQTZaaP+8VzudACUNZMWLNjGiJYDOI31nALraTQVMKPk5EwVAZ7IJoB3t2xCP9TbX3pR3jFNUP0P93wNAK/4wGkCz+Qf197YA2hC5Xv5TzFj3CaCXGjs+4AcbdwTQ0vGyg4TfTgDtKpfXIPJXATYBdAasvxuAxl/kb7ezq8s4vqKksUAyzSZ/2yGAjr+9pugCIjeMd0rwVgP5+wJomSKtxahB7gWgw7/RohmVHqFAnUtwuAY8+uQWvcluuW+8ziaAlgw6VE4TQPsO8Ja29RRJXgBaKiGWAidayuu87OPh4xYAOuvXmmbvCKDjhHxJP/FeVbpcZtprLqqvD3ND/6EBX0c8mtozAXQTgI7zmVi8biw9hIQsyEYL7Z/3aqcToGzznyyiUWGz7A9Al1fQ60klP2fyrQD0UH9OBOl/GIAuT7b4wwTQ7i5BSfn5xXk8ElO5PQDo8i0cWbmVcl8AnWXUCaCrIYmC1C0nC5kAuq0x2cgVc4KlnV1dxvFVrt6pzAehPDiATurG1C5X/Yv4ov0KB281kL8dgEYFkFcwjAbQegsryLjI1LrjTgDtHPBOABo9UWDv++gAmh4AnOIaiqGdiSBwDGR3ABrYUZ84EX4CRPr/OdLfT8tAs4CPBdAwzxQL6QStxq+5w9vl9fxj8B/Wr2g/vBOArmhAXb8SwaMJoCeANl2fnICx12z2H3lBpb6qU+b35Hgys9oZgGarRx3MJRng/ST6OWdJ8zznGzfNhJW2RQ/xrcPZuMgW79o8X7m+/HfzC0Dw+k52YfMPas+jA2jUzrgngaRy65HYyJ0A6HJ1Sj2O7gWg7RlV90+U65BNvfLV3gC0V30r3VtHz7I2M1mq8P8R0c3m+QXM7xruW4abMZ939XdL5NtCL7Y9tFC8ENG6JwB9bXBKA8oxtCU/4+CtBjILoHtCoOrkmdwIQFcXTXYJhnsBaBjwKFQMieCW5U6sWvKhCzk0aOc+AXQ1BuqFJvbbrHLS7YI/9Z0A2tWfDe1MC8T7AOgsv7cvwXE/AJ0/qrnJJoSWfJjkn6P4SOULQL+8vua+avAf1q9oP5wA+qEAdFm8NtqLLMhGC+2f7PUH1DPJdZr8J15qEyxmoDkG9ZUjZ6/27A9AV7UHdYukrPSeGkBLGfEiCBsXvgC6Uuej+Orwzx5h8w/q73AAbfIi8zId5nb++/YqAXSEdLGR+wHQpRcpfnVHAB0UIj/ga/DPCaA34pc1Cg+gCWM9L4AOYh+53GozGz/8tgA6ae1lLH55+5OYW3TQK36rYXt4IABtcQiLPDqArm48uB6EmxCGrQUngGYD2yvgCwW2bUKIVlbh7/uEAFr7VA34tpvrGtqZFoj3AdBumxDeCUCXVz4DCBbI4utnetMBNNJzsqnAx8fL6+sE0HpUhiy0fPz5EqHYMB97cADdoyXZzrkJYRuw8Kpnyke/WbFu95/sspsAWrLmTD+HYnHDvQHoUmkba0E

Source: Xworm V5.6.exe, 00000000.00000002.1964421526.0000003617300000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
Source: Xworm V5.6.exe, 00000000.00000002.1965231552.000001B31B404000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6780

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\fb8e0d72-a74f-4da5-b5c0-31a6c5041c56

Jump to behavior

Source: Xworm V5.6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Xworm V5.6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Xworm V5.6.exe	ReversingLabs: Detection: 91%
Source: Xworm V5.6.exe	Virustotal: Detection: 71%

Source: Xworm V5.6.exe	String found in binary or memory: -help
Source: Xworm V5.6.exe	String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be spcifiedThere is no second file name for rename pair:Unsupported rename command:-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege
Source: Xworm V5.6.exe	String found in binary or memory: [ Play ]9StopToolStripMenuItem1.Image-StopToolStripMenuItem1
Source: Xworm V5.6.exe	String found in binary or memory: [ Extra 1 ]IReportWindowToolStripMenuItem1.Image=ReportWindowToolStripMenuItem1![ ReportWindow ]9StartToolStripMenuItem.Image-StartToolStripMenuItem7StopToolStripMenuItem.Image+StopToolStripMenuItemGPerformanceToolStripMenuItem1.Image;PerformanceToolStripMenuItem1
Source: Xworm V5.6.exe	String found in binary or memory: -Plugins\Ransomware.dll1Plugins\ReverseProxy.dll7Plugins\Ngrok-Installer.dll
Source: Xworm V5.6.exe	String found in binary or memory: cActiveWindows.dll,Chat.dll,Clipboard.dll,FileManager.dll,FilesSearcher.dll,HRDP.dll,HVNC.dll,Informations.dll,Keylogger.dll,Maps.dll,Microphone.dll,Ngrok-Installer.dll,Options.dll,Pastime.dll,Performance.dll,ProcessManager.dll,Programs.dll,Ransomware.dll,Chromium.dll,Recovery.dll,Stealer.dll,Regedit.dll,RemoteDesktop.dll,ReverseProxy.dll,RunPE.dll,Shell.dll,StartupManager.dll,TCPConnections.dll,UACBypass.dll,VB.NET Compiler.dll,WebCam.dll,WSound.dll,ServiceManager.dll,MessageBox.dll,HVNCMemory.dll,Cmstp-Bypass.dll,HiddenApps.dll,HBrowser.dll,VoiceChat.dll

Source: C:\Users\user\Desktop\Xworm V5.6.exe

File read: C:\Users\user\Desktop\Xworm V5.6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Xworm V5.6.exe "C:\Users\user\Desktop\Xworm V5.6.exe"
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6780 -s 1360

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Xworm V5.6.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Xworm V5.6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Xworm V5.6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Xworm V5.6.exe

Static file information: File size 15602688 > 1048576

Source: Xworm V5.6.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0xebec00

Source: Xworm V5.6.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbL$0H source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdbRSDS-L source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.pdbMZ@ source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdbX source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: PC:\Windows\Microsoft.VisualBasic.pdb0 source: Xworm V5.6.exe, 00000000.00000002.1964421526.0000003617300000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: .pdb- source: Xworm V5.6.exe, 00000000.00000002.1964421526.0000003617300000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdbX source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Runtime.Remoting.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbtACtl source: Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1965231552.000001B31B404000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbfig source: Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbent1n source: Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbY}W source: Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbnA source: Xworm V5.6.exe, 00000000.00000002.1972683689.000001B337B00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1964421526.0000003617300000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: symbols\dll\Microsoft.VisualBasic.pdb` source: Xworm V5.6.exe, 00000000.00000002.1964421526.0000003617300000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Drawing.pdb) source: WERB03A.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERB03A.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Code function: 0_2_00007FFD9B7C00AD pushad ; iretd

0_2_00007FFD9B7C00C1

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected RUNPE

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Xworm V5.6.exe

Binary or memory string: IF GETMODULEHANDLE("SBIEDLL.DLL").TOINT32() <> 0 THEN

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Memory allocated: 1B31B380000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Memory allocated: 1B335040000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Xworm V5.6.exe	Binary or memory string: If (manufacturer = "microsoft corporation" AndAlso item("Model").ToString().ToUpperInvariant().Contains("VIRTUAL")) OrElse manufacturer.Contains("vmware") OrElse item("Model").ToString() = "VirtualBox" Then
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: Xworm V5.6.exe, type: SAMPLE

Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Users\user\Desktop\Xworm V5.6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Xworm V5.6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Xworm V5.6.exe	92%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
Xworm V5.6.exe	71%	Virustotal		Browse
Xworm V5.6.exe	100%	Avira	TR/AVI.XWorm.snnqo
Xworm V5.6.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://pastebin.com/raw/H3wFXmEi	2%	Virustotal		Browse
http://exmple.com	0%	Virustotal		Browse
https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip	1%	Virustotal		Browse
https://api.telegram.org/bot	4%	Virustotal		Browse
https://evilcoder.mysellix.io	0%	Virustotal		Browse
https://t.me/XCoderGroup	0%	Virustotal		Browse
http://ip-api.com/csv/?fields=status	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exmple.com	Xworm V5.6.exe	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/?	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	Xworm V5.6.exe	false	4%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers?	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.google.com/maps/place/)icons8-letter-16.png	Xworm V5.6.exe	false		unknown
http://www.carterandcone.coml	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://pastebin.com/raw/H3wFXmEi	Xworm V5.6.exe	false	2%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip	Xworm V5.6.exe	false	1%, Virustotal, Browse	unknown
https://evilcoder.mysellix.io	Xworm V5.6.exe	false	0%, Virustotal, Browse	unknown
http://www.jiyu-kobo.co.jp/	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/XCoderGroup	Xworm V5.6.exe	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Xworm V5.6.exe, 00000000.00000002.1966059097.000001B31D0B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com/csv/?fields=status	Xworm V5.6.exe	false	0%, Virustotal, Browse	unknown
http://ip-api.com/line/?fields=hosting	Xworm V5.6.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532861
Start date and time:	2024-10-14 02:41:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Xworm V5.6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 9 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Xworm V5.6.exe, PID 6780 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:43:14	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Xworm V5.6.exe_cf9afbc01e41f39085d44e42fe55b10f1508dcd_6ddd3646_948acb39-e6ee-4a51-926f-fb4da73f81e0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.185499921092448
Encrypted:	false
SSDEEP:	192:7jmQB3bLVQJ8eFOnf0NSVFU2HaWz8zvl/gCZFaDqrzuiFbZ24lO8cn:ZW8eNSVFBa48xAqrzuiFbY4lO8O
MD5:	79C3B261CC51A6DFBEB9D656339802D4
SHA1:	CB1D67138DDFCA228C1EA4AA9CEF757D09A7C732
SHA-256:	CD28A0566A39EC2A6390A0E10DA999E370D6C6BF7C46F17A241807A7B810710E
SHA-512:	D660A4CB1698F3FACF2DA2CD86F9DEA8E5CE04322EFDD0AE8F586829AAFCEA37DFE6B0AC6411E16CDCBE0869FD15E8D638A3A2C9F09AC9E6D7AE18A6BE404CE8
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.0.1.8.1.3.9.8.3.6.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.0.1.8.2.2.2.6.4.7.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.8.a.c.b.3.9.-.e.6.e.e.-.4.a.5.1.-.9.2.6.f.-.f.b.4.d.a.7.3.f.8.1.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.1.3.0.1.5.a.-.d.1.8.c.-.4.6.1.6.-.8.5.f.6.-.0.b.0.4.1.a.9.6.6.6.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.X.w.o.r.m. .V.5...6...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.W.o.r.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.d.c.f.9.-.9.3.0.0.d.2.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.1.d.b.3.d.3.1.e.2.f.6.7.3.b.3.e.4.4.3.2.3.2.b.0.d.6.1.e.4.c.b.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.4.6.8.8.e.c.1.5.1.1.b.8.3.0.6.3.f.7.b.0.1.6.7.a.e.2.5.0.7.6.4.b.7.5.9.1.d.1.!.X.w.o.r.m. .V.5...6...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB03A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Oct 14 00:43:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	500917
Entropy (8bit):	3.6046637001039397
Encrypted:	false
SSDEEP:	6144:6jfR6S3QWfcDofYanxpH/ATGxfS+A2A3Sq0:nyQWfcDGYanxpnHJq
MD5:	80BDE5684ADE07A39630AC6D21D8099B
SHA1:	E2FC72920252A7A67CEDE8DDB1F01AD4CE85AFE1
SHA-256:	1E7E6FB155661EF5C0EA51A966D902C8ACA706FFBAAB1C9317254034EC7EB798
SHA-512:	CDCE40ABDE397646B6326AAA2DFF53A42646DBB169410DBF88C6DC735034CF32BC3E865A32F2D73DB460C3C7DF22DE6ED879431024BC18856DC5A053A3F4D2BB
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........i.g............D...............d.......$...$#......$...H#......T>...z..........l.......8...........T...........X5..]o..........l1..........X3..............................................................................eJ.......3......Lw......................T.......\|....i.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB220.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10020
Entropy (8bit):	3.71212405016408
Encrypted:	false
SSDEEP:	192:R6l7wVeJvErWl6Y9ERQTgmfZf1yitapr289bEFWf5+Mm:R6lXJIWl6YuRQTgmfTtwE0fe
MD5:	27859AE16A8441491462A409CF4A3512
SHA1:	6CE9D0F5EFB354D99DB03AC4E22999BB004E6ED3
SHA-256:	290CE96778720773D0B4C88FC9E53DADD359A842CC6B59507350CC7773A19594
SHA-512:	85C3F24064E5C264DE326CB63CD535B958D6BA69DEC08B2BCC0C85CC59B8D8DF2933069A615CA2C10F928419C8F8CB428B9268DC66F3DC204A1C7FC317ED7DFE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB240.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4805
Entropy (8bit):	4.45435213571645
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg771I9HsWpW8VY/pYm8M4J0r7RnFxyq8vy7RqEg6RS9Skd:uIjfZI78F7Ve4J0rtWyUEg6RS9Skd
MD5:	6C80BF204FFC92CB6EB9A8B7E23A11BE
SHA1:	6768C067696B0CD160FB631668A0EE9053AA3A14
SHA-256:	68EB110E97F25A71A55C56051A6BEC656A08AFB3608E5E07CEA42821AC830ADF
SHA-512:	B819D859FEE87AFED4667F39C8895465C96BDD2248C330F5D35A79C632B6D8D1EB5C4585FE902A1290BB56FBCCECC75333B35F870B82495FAA49A0539E125A41
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542385" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465549404645594
Encrypted:	false
SSDEEP:	6144:tIXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABl0uNNdwBCswSbh:+XD94QWlLZMM6YFHz+h
MD5:	AFE4285470F67F1560D40BE33308B30D
SHA1:	209872E2381C624BF3D65C13CDCB0C1E20B79D72
SHA-256:	53A7116808D3B41DA5D1203CD3580B6120393FFC656B909F644B15BD6E3B6D02
SHA-512:	11EFE470BDCA391AD1F844705DA4541BBA5F6F8DF0474205465CDB0EDC3E0AB7A6D9479B516CABDE1B83DEA5F27893C74EDD9942B5D4C59865434DA009066165
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ...................................................................................................................................................................................................................................................................................................................................................W.1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.551456590776816
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Xworm V5.6.exe
File size:	15'602'688 bytes
MD5:	db51a102eab752762748a2dec8f7f67a
SHA1:	194688ec1511b83063f7b0167ae250764b7591d1
SHA256:	93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2
SHA512:	fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5
SSDEEP:	196608:k4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:kuyIhhkRka4i
TLSH:	D2F69D107BD68006E47269B00A946AE199BEBEAF2B15D8AD30C4335C17F64CCF953BF5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........."...0......&........... ... ....@.. ...............................$....`................................

File Icon


Icon Hash:	71331b969f1b1371

Static PE Info

General

Entrypoint:	0x12c0b9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65EB89ED [Fri Mar 8 21:58:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xec0b4c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xec2000	0x223ae	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xebeba4	0xebec00	c73b8400047076f819f0a34dd3e991d1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xec2000	0x223ae	0x22400	0ebff6d792a48134fd50fea7977ac567	False	0.45499258667883213	data	5.558879950134356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee6000	0xc	0x200	d6009659c0c7ac96ce7e89890f2b2b64	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xec2220	0x9738	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9994058689811944
RT_ICON	0xecb958	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	0.2102064355849994
RT_ICON	0xedc180	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	0.2754487482286254
RT_ICON	0xee03a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.33682572614107886
RT_ICON	0xee2950	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.42401500938086306
RT_ICON	0xee39f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.6941489361702128
RT_GROUP_ICON	0xee3e60	0x5a	data	0.7666666666666667
RT_VERSION	0xee3ebc	0x308	data	0.44458762886597936
RT_MANIFEST	0xee41c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	20:42:52
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\Xworm V5.6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Xworm V5.6.exe"
Imagebase:	0x1b31a260000
File size:	15'602'688 bytes
MD5 hash:	DB51A102EAB752762748A2DEC8F7F67A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RUNPE, Description: Yara detected RUNPE, Source: 00000000.00000000.1746007824.000001B31AEF9000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:43:01
Start date:	13/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6780 -s 1360
Imagebase:	0x7ff61fcf0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B7C09E0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b24ade238746ffffc6c938fc150e49383e3b206016da432273f4b353e680cc0
Instruction ID: 28bc04f2ab2fdbacbafd42f9a6d491ee536e5e81361ee4141b0a13da10945975
Opcode Fuzzy Hash: 4b24ade238746ffffc6c938fc150e49383e3b206016da432273f4b353e680cc0
Instruction Fuzzy Hash: 8091FC34A1561D8FDBA4EB68C851BA8B3B2FF54304F5141BDD00DD72A2DE35A982CF40

Function 00007FFD9B7C337A Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf40b2e88a533f14f687a9d328257eb7cf8428664c930c3dc1e716f0fbdd3b3
Instruction ID: 1b97279e692cf72eae9c3f4609fcc0d8d16a475ee369941c657c59b4f3e742e7
Opcode Fuzzy Hash: adf40b2e88a533f14f687a9d328257eb7cf8428664c930c3dc1e716f0fbdd3b3
Instruction Fuzzy Hash: FB714E70A19A5D8FDBA8EF58D8A5BB8B7B1FF58300F1501ADD00DD72A2DE346981CB00

Function 00007FFD9B7C0B43 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ac346f82fe04d35c33ca2e5df779f3902e1870b13c908914bd5b9bca6af6b8
Instruction ID: bbc85b1c0a80e0622159650b96f699aaf91b649f414b944247659a62d630e777
Opcode Fuzzy Hash: 93ac346f82fe04d35c33ca2e5df779f3902e1870b13c908914bd5b9bca6af6b8
Instruction Fuzzy Hash: C751B770A05A5C8FDBA4EF68C494BA8B7B2FF58301F1141ADD00DE72A2DA35AD85CF40

Function 00007FFD9B7C34CE Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5735a29a42a161cf3175204bdf37a55cd9284eccd53ddc585031eaad0a94b1d
Instruction ID: e2054c34e6710bad1374bfdcb9f07c46b94908dc2901f0fcfd7cb7412f238e61
Opcode Fuzzy Hash: d5735a29a42a161cf3175204bdf37a55cd9284eccd53ddc585031eaad0a94b1d
Instruction Fuzzy Hash: 1E41F770A18A5D9FDF98EF58D8A5BB8B7B2FF58300F5101A9D01DD32A6DE35A841CB01

Function 00007FFD9B7C3698 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278a14827c6b641ec87fa4167659fa9a8c4697c16ed28e059e27cc0e4adbfb78
Instruction ID: de7c0208e2ec33886b01f6efa1dd2e5fc5f5f038304ea918891dcf121ba94d85
Opcode Fuzzy Hash: 278a14827c6b641ec87fa4167659fa9a8c4697c16ed28e059e27cc0e4adbfb78
Instruction Fuzzy Hash: 8B31E774A0892D8FDBA5EF18C855BE8B7B1FF68304F4141E9905DE32A6DA706E818F40

Function 00007FFD9B7C1932 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efaee1c444ddda7acccb561c4a4a2876cf14a5be4c9988c9188d7f14b320ac53
Instruction ID: d7104039f7cc2ea3a77267681d6939f05249b9c83641014e5c8737f77aca3491
Opcode Fuzzy Hash: efaee1c444ddda7acccb561c4a4a2876cf14a5be4c9988c9188d7f14b320ac53
Instruction Fuzzy Hash: 34212731E0EBDE4FE755AB6858355A97BA1EF41310F0902BBD045D72E3CE2469048751

Function 00007FFD9B7C08B1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e16cdbc630f324eb20de4bfb2c5a9a425cf6491c0a553848ed9a7229118411c
Instruction ID: e3920fc224b3c67824caca02ec854d5d21d5e072fe6e5cbcb75316fbb5199789
Opcode Fuzzy Hash: 1e16cdbc630f324eb20de4bfb2c5a9a425cf6491c0a553848ed9a7229118411c
Instruction Fuzzy Hash: A0017970E0970E8FDB50EFA488696FE36B0FF15301F41097AE418D62A6DB386A00CB81

Function 00007FFD9B7C2629 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1ca6fb8fb752524ee389da796a8931a51cfed2264d879f732628699cf47580
Instruction ID: b2fcb092c4a4f0ee797d39238432b68281c29597d94b8c9fb047cf84af4eda6c
Opcode Fuzzy Hash: 2b1ca6fb8fb752524ee389da796a8931a51cfed2264d879f732628699cf47580
Instruction Fuzzy Hash: B301B630A14A0D9FDB84EF68C494AA977A0FF58305F4145A9E41DD72A1DB35E991CB00

Function 00007FFD9B7C0CB4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1973201376.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7c0000_Xworm V5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36c2798c130d7a33c4c4246de7b7f2bc9d57b6ca0b91b920756c09cc40638a4
Instruction ID: 8afb4bf802539cde0ed4446906268f6813c5efc72705067fcbe34a6a49b0831c
Opcode Fuzzy Hash: a36c2798c130d7a33c4c4246de7b7f2bc9d57b6ca0b91b920756c09cc40638a4
Instruction Fuzzy Hash: 6AE0E534E0452D8ACB64EF64E8616ACB371FF85300F5051B9C01DE3292CB366946CB40

Source: Xworm V5.6.exe	String found in binary or memory: http://exmple.com
Source: Xworm V5.6.exe	String found in binary or memory: http://ip-api.com/csv/?fields=status
Source: Xworm V5.6.exe	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Xworm V5.6.exe, 00000000.00000002.1966059097.000001B31D0B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Xworm V5.6.exe, 00000000.00000002.1971612501.000001B337142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Xworm V5.6.exe	String found in binary or memory: https://api.telegram.org/bot
Source: Xworm V5.6.exe	String found in binary or memory: https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip
Source: Xworm V5.6.exe	String found in binary or memory: https://evilcoder.mysellix.io
Source: Xworm V5.6.exe	String found in binary or memory: https://pastebin.com/raw/H3wFXmEi
Source: Xworm V5.6.exe	String found in binary or memory: https://t.me/XCoderGroup
Source: Xworm V5.6.exe	String found in binary or memory: https://www.google.com/maps/place/)icons8-letter-16.png

Source: Xworm V5.6.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: Xworm V5.6.exe, 00000000.00000000.1751201148.000001B31B122000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXWorm.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.dll, vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilename7z.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilename vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ \| FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilename7z.dll, vs Xworm V5.6.exe
Source: Xworm V5.6.exe	Binary or memory string: OriginalFilenameXWorm.exe, vs Xworm V5.6.exe

Source: Xworm V5.6.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1746007824.000001B31AB66000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Xworm V5.6.exe PID: 6780, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Xworm V5.6.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, ToolsBox.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, Builder.cs	Cryptographic APIs: 'TransformFinalBlock'

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Xworm V5.6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Xworm V5.6.exe_cf9afbc01e41f39085d44e42fe55b10f1508dcd_6ddd3646_948acb39-e6ee-4a51-926f-fb4da73f81e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB03A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB220.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB240.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Xworm V5.6.exe