Edit tour

Windows Analysis Report
XSLHv0kxy7.exe

Overview

General Information

Sample name:	XSLHv0kxy7.exe renamed because original name is a hash value
Original sample name:	310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8.exe
Analysis ID:	1557205
MD5:	a8bf7d1f42ce4fe13c76e01befe367fa
SHA1:	add32173cf45061d651b75f8b7ab33f86fdfbee7
SHA256:	310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

XSLHv0kxy7.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\XSLHv0kxy7.exe" MD5: A8BF7D1F42CE4FE13C76E01BEFE367FA)

P00LCUE.exe (PID: 7552 cmdline: "C:\Users\user\AppData\Local\Temp\P00LCUE.exe" MD5: 82389ACF1B04E8442FDAFA7C49C29A97)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7624 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

BLACKSUPER X.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe" MD5: 2D58B179EC133F1016A2496A96C5DA20)

WerFault.exe (PID: 7892 cmdline: C:\Windows\system32\WerFault.exe -u -p 7576 -s 1684 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.84.161.66"], "Port": 5000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcba4:$s6: VirtualBox 0xcb02:$s8: Win32_ComputerSystem 0xeff0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf08d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf1a2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe23c:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc9a4:$s6: VirtualBox 0xc902:$s8: Win32_ComputerSystem 0xedf0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee8d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xefa2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe03c:$cnc4: POST / HTTP/1.1
00000003.00000002.1998540533.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x48a94:$s6: VirtualBox 0x5ad14:$s6: VirtualBox 0x489f2:$s8: Win32_ComputerSystem 0x5ac72:$s8: Win32_ComputerSystem 0x4aee0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5d160:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4af7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d1fd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4b092:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d312:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4a12c:$cnc4: POST / HTTP/1.1 0x5c3ac:$cnc4: POST / HTTP/1.1
Process Memory Space: XSLHv0kxy7.exe PID: 7468	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: BLACKSUPER X.exe PID: 7576	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.BLACKSUPER X.exe.950000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.BLACKSUPER X.exe.950000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.BLACKSUPER X.exe.950000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcba4:$s6: VirtualBox 0xcb02:$s8: Win32_ComputerSystem 0xeff0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf08d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf1a2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe23c:$cnc4: POST / HTTP/1.1
0.2.XSLHv0kxy7.exe.2fbf170.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.XSLHv0kxy7.exe.2fbf170.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xada4:$s6: VirtualBox 0xad02:$s8: Win32_ComputerSystem 0xd1f0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd28d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd3a2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc43c:$cnc4: POST / HTTP/1.1
0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xcba4:$s6: VirtualBox 0xcb02:$s8: Win32_ComputerSystem 0xeff0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf08d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf1a2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe23c:$cnc4: POST / HTTP/1.1
0.2.XSLHv0kxy7.exe.2f90c68.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.XSLHv0kxy7.exe.2f90c68.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x28e2c:$s6: VirtualBox 0x3b0ac:$s6: VirtualBox 0x28d8a:$s8: Win32_ComputerSystem 0x3b00a:$s8: Win32_ComputerSystem 0x2b278:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3d4f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2b315:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3d595:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2b42a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3d6aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2a4c4:$cnc4: POST / HTTP/1.1 0x3c744:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XSLHv0kxy7.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["185.84.161.66"], "Port": 5000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: XSLHv0kxy7.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: XSLHv0kxy7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: 185.84.161.66
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: 5000
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: <123456789>
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: <Xwormmm>
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: XWorm V5.6
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: USB.exe
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: %AppData%
Source: 3.0.BLACKSUPER X.exe.950000.0.unpack	String decryptor: XClient.exe

Source: XSLHv0kxy7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: XSLHv0kxy7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Source Code\AntiHead\AntiHead\x64\Release\aobtoaddrrw.pdb source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, P00LCUE.exe, 00000001.00000000.1713302423.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe, 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe.0.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5045.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5045.tmp.dmp.8.dr
Source:	Binary string: D:\Source Code\AntiHead\AntiHead\x64\Release\aobtoaddrrw.pdb'' source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, P00LCUE.exe, 00000001.00000000.1713302423.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe, 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe.0.dr
Source:	Binary string: System.Xml.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5045.tmp.dmp.8.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.84.161.66

Yara detected Generic Downloader

Source: Yara match	File source: 3.0.BLACKSUPER X.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, type: DROPPED

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, BLACKSUPER X.exe, 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, BLACKSUPER X.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: P00LCUE.exe, P00LCUE.exe, 00000001.00000002.1836572125.00000203B8FEC000.00000004.00000020.00020000.00000000.sdmp, P00LCUE.exe, 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: P00LCUE.exe, 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/k
Source: P00LCUE.exe, 00000001.00000002.1836572125.00000203B8FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/y

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Code function: 1_2_00007FF620374160 GetAsyncKeyState,ShowWindow,Sleep,

1_2_00007FF620374160

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.BLACKSUPER X.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.XSLHv0kxy7.exe.2f90c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Code function: 1_2_00007FF620373550 CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,OpenProcess,Process32NextW,CloseHandle,TerminateProcess,CloseHandle,memset,??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ,??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z,??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ,?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,system,MessageBoxW,ShellExecuteW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,CloseHandle,??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ,??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ,??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ,

1_2_00007FF620373550

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Code function: 0_2_00007FFD9B780A21	0_2_00007FFD9B780A21
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF620373D50	1_2_00007FF620373D50
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF6203741C0	1_2_00007FF6203741C0
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF620373A40	1_2_00007FF620373A40
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF620371340	1_2_00007FF620371340
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF620373550	1_2_00007FF620373550
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Code function: 3_2_00007FFD9B791719	3_2_00007FFD9B791719
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Code function: 3_2_00007FFD9B796E72	3_2_00007FFD9B796E72
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Code function: 3_2_00007FFD9B7960C6	3_2_00007FFD9B7960C6
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Code function: 3_2_00007FFD9B791038	3_2_00007FFD9B791038
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Code function: 3_2_00007FFD9B7920F1	3_2_00007FFD9B7920F1

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7576 -s 1684

Source: XSLHv0kxy7.exe, 00000000.00000002.1716093621.000000001B92E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBLACKSUPER X.exe4 vs XSLHv0kxy7.exe
Source: XSLHv0kxy7.exe, 00000000.00000000.1686464082.0000000000C66000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameP00LCUE.exe4 vs XSLHv0kxy7.exe
Source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBLACKSUPER X.exe4 vs XSLHv0kxy7.exe
Source: XSLHv0kxy7.exe	Binary or memory string: OriginalFilenameP00LCUE.exe4 vs XSLHv0kxy7.exe

Source: XSLHv0kxy7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.0.BLACKSUPER X.exe.950000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.XSLHv0kxy7.exe.2f90c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: XSLHv0kxy7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BLACKSUPER X.exe.0.dr, tpDAhG0zUl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: BLACKSUPER X.exe.0.dr, tpDAhG0zUl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: BLACKSUPER X.exe.0.dr, HZi2QofiYG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, tpDAhG0zUl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, tpDAhG0zUl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, HZi2QofiYG.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: BLACKSUPER X.exe.0.dr, ErDSEmjKOU.cs	Base64 encoded string: 'WE1AmsCB2TWvNaF1KPhUwSHbKi3Z9SmiOYvXoEA26vDq3zuas768HnJdTGMt'
Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	Base64 encoded string: 'MgmiczaY3BkFwWAsYXke543AHRV8FT9fYUnqfFqPYtuYYQiCCMGys5HYnAKP', 'hFc50vYm8887299Fdxp2hn44dmsVG28LfBPiTEShEjVl407eVpQPe5xFZk8t', 'uMzoEzFe7CEn7byPxHI3nFqEqtfTe776giARKpwHhMJ2IfWgnjvVMAbW3lbU', 'qZAG5hC16c2eNFepVxabxEdUj57hVumr3O7W0i0PmVs4SdQMmjNfoeMS7XF4', 'xCIRlcMxX1lgBCvsBuv0ZmhzJfytmnlsPaD3pFfmXHfptnJPO7IX3mQjb52i', 'g0PZNoSneTGDhbk8J934ioFZ2OTBUUHfpqaDIopJL7n4U6vhSchRTNZkkbBY', 'KtDkKK7th3WX1bE8rLGIKIm216PToiUZKjFnc7OIvuwqBkldyCObPG4TatCk', 'o0PZpqp6GUzOwgFN5fRvFZxt8nUkjlVpwvKTY3rsWPMNVo4jeZgx2KWrtXnS', 'q3J9g8TKg86eB2Uoqj4FJAx9723VsXanLeZkwO6T1Lbrw46agDT0hrNmqaFy'
Source: BLACKSUPER X.exe.0.dr, PY7JtnPMei.cs	Base64 encoded string: 'HBNoFrOxkbuAdBpXCEZtxhHUabWlzT57T0CUHQEXdS6mSUmAw1wWYuWDWsX6'
Source: BLACKSUPER X.exe.0.dr, n3KIdyQiO9.cs	Base64 encoded string: 'rgSOwPY8xVfDT9ZrBCnqTPkJ7GsCHwhqivO1mpH9TuSZ39QxGYhp6PjrQC6f', 'If1K0jS9QK4WQf73BUZfHJrFSvOflBIS5OMSCfMGJvjnEBgDy24cV8OQEjrD', 'qpJl67ANVjsQssJODQpyQZOe8ykoNXyRMvmsbut3Xhy6LO3Yju8rUvwz9i11', 'hVSSuRpw4Vfi9ytiumdRo3v8RHZTMYa5YyLvqMziBWU6x2egUR87g12NTEra', 'XrYyqd6F6fK8GUVPBOqxIgHnDqZ6juGRR8dB8UaK8QJUVbrrV2gxtuhEYUCI', 'SHL7hejTQPRyD7AqB7zxDgMPIvBir7Rs16ziWChiHK6GD8aI13oinC00uK5p'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, ErDSEmjKOU.cs	Base64 encoded string: 'WE1AmsCB2TWvNaF1KPhUwSHbKi3Z9SmiOYvXoEA26vDq3zuas768HnJdTGMt'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	Base64 encoded string: 'MgmiczaY3BkFwWAsYXke543AHRV8FT9fYUnqfFqPYtuYYQiCCMGys5HYnAKP', 'hFc50vYm8887299Fdxp2hn44dmsVG28LfBPiTEShEjVl407eVpQPe5xFZk8t', 'uMzoEzFe7CEn7byPxHI3nFqEqtfTe776giARKpwHhMJ2IfWgnjvVMAbW3lbU', 'qZAG5hC16c2eNFepVxabxEdUj57hVumr3O7W0i0PmVs4SdQMmjNfoeMS7XF4', 'xCIRlcMxX1lgBCvsBuv0ZmhzJfytmnlsPaD3pFfmXHfptnJPO7IX3mQjb52i', 'g0PZNoSneTGDhbk8J934ioFZ2OTBUUHfpqaDIopJL7n4U6vhSchRTNZkkbBY', 'KtDkKK7th3WX1bE8rLGIKIm216PToiUZKjFnc7OIvuwqBkldyCObPG4TatCk', 'o0PZpqp6GUzOwgFN5fRvFZxt8nUkjlVpwvKTY3rsWPMNVo4jeZgx2KWrtXnS', 'q3J9g8TKg86eB2Uoqj4FJAx9723VsXanLeZkwO6T1Lbrw46agDT0hrNmqaFy'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, PY7JtnPMei.cs	Base64 encoded string: 'HBNoFrOxkbuAdBpXCEZtxhHUabWlzT57T0CUHQEXdS6mSUmAw1wWYuWDWsX6'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, n3KIdyQiO9.cs	Base64 encoded string: 'rgSOwPY8xVfDT9ZrBCnqTPkJ7GsCHwhqivO1mpH9TuSZ39QxGYhp6PjrQC6f', 'If1K0jS9QK4WQf73BUZfHJrFSvOflBIS5OMSCfMGJvjnEBgDy24cV8OQEjrD', 'qpJl67ANVjsQssJODQpyQZOe8ykoNXyRMvmsbut3Xhy6LO3Yju8rUvwz9i11', 'hVSSuRpw4Vfi9ytiumdRo3v8RHZTMYa5YyLvqMziBWU6x2egUR87g12NTEra', 'XrYyqd6F6fK8GUVPBOqxIgHnDqZ6juGRR8dB8UaK8QJUVbrrV2gxtuhEYUCI', 'SHL7hejTQPRyD7AqB7zxDgMPIvBir7Rs16ziWChiHK6GD8aI13oinC00uK5p'

Source: BLACKSUPER X.exe.0.dr, n3KIdyQiO9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: BLACKSUPER X.exe.0.dr, n3KIdyQiO9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, n3KIdyQiO9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, n3KIdyQiO9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/9@1/1

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

1_2_00007FF620373550

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Code function: 1_2_00007FF6203725B0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,CloseHandle,

1_2_00007FF6203725B0

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XSLHv0kxy7.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Mutant created: \Sessions\1\BaseNamedObjects\kTN3ZgltU7MG4IpH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Mutant created: \Sessions\1\BaseNamedObjects\JUtjwRb1a5YSYhsFv
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7576

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

File created: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Jump to behavior

Source: XSLHv0kxy7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: XSLHv0kxy7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XSLHv0kxy7.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\XSLHv0kxy7.exe "C:\Users\user\Desktop\XSLHv0kxy7.exe"
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process created: C:\Users\user\AppData\Local\Temp\P00LCUE.exe "C:\Users\user\AppData\Local\Temp\P00LCUE.exe"
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process created: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe "C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe"
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7576 -s 1684
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process created: C:\Users\user\AppData\Local\Temp\P00LCUE.exe "C:\Users\user\AppData\Local\Temp\P00LCUE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process created: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe "C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: XSLHv0kxy7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: XSLHv0kxy7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Source Code\AntiHead\AntiHead\x64\Release\aobtoaddrrw.pdb source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, P00LCUE.exe, 00000001.00000000.1713302423.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe, 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe.0.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5045.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5045.tmp.dmp.8.dr
Source:	Binary string: D:\Source Code\AntiHead\AntiHead\x64\Release\aobtoaddrrw.pdb'' source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, P00LCUE.exe, 00000001.00000000.1713302423.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe, 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmp, P00LCUE.exe.0.dr
Source:	Binary string: System.Xml.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5045.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER5045.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER5045.tmp.dmp.8.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt.kMDuGc02ge8cpng7ZsmLHbLlNFJehosu6PueqNeFTpFroP3Ez6Qf31H7kcmf7i17tVoZ,a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt._5w5tbhXWOeI8QMmQjxaviweEbjZQI8FEX4fgA01PL4ALkA4Qlmt3ulbW66O3Cuog4ne0,a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt.T7pUBdp507p6EP0P1Z0pSQExwbTJKlftMvMh1cq2bI5uEY7eZLz3ShCTblaY8AVzlCjc,a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt.VsewsTRWPJw52kvXd5Rc6Pefmw9KaWkL5tneRgIvzGqvJNrXhT0lTEnfAidFyJrPZZPE,tpDAhG0zUl.gcBtaiO2Ox()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Rp5lo6l6F7[2],tpDAhG0zUl.VpSQw46ypp(Convert.FromBase64String(Rp5lo6l6F7[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt.kMDuGc02ge8cpng7ZsmLHbLlNFJehosu6PueqNeFTpFroP3Ez6Qf31H7kcmf7i17tVoZ,a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt._5w5tbhXWOeI8QMmQjxaviweEbjZQI8FEX4fgA01PL4ALkA4Qlmt3ulbW66O3Cuog4ne0,a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt.T7pUBdp507p6EP0P1Z0pSQExwbTJKlftMvMh1cq2bI5uEY7eZLz3ShCTblaY8AVzlCjc,a0XWIyjkU8Lc5tDyCbTtWGsCj5NYirpaA1BuwDjUVy6LHfTQLZKpTsfLnJURN3t7aIqt.VsewsTRWPJw52kvXd5Rc6Pefmw9KaWkL5tneRgIvzGqvJNrXhT0lTEnfAidFyJrPZZPE,tpDAhG0zUl.gcBtaiO2Ox()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Rp5lo6l6F7[2],tpDAhG0zUl.VpSQw46ypp(Convert.FromBase64String(Rp5lo6l6F7[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	.Net Code: e59VesoClT System.AppDomain.Load(byte[])
Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	.Net Code: PvWbVsbuTk System.AppDomain.Load(byte[])
Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	.Net Code: PvWbVsbuTk
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	.Net Code: e59VesoClT System.AppDomain.Load(byte[])
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	.Net Code: PvWbVsbuTk System.AppDomain.Load(byte[])
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	.Net Code: PvWbVsbuTk

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Code function: 0_2_00007FFD9B7800BD pushad ; iretd		0_2_00007FFD9B7800C1
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Code function: 3_2_00007FFD9B7900BD pushad ; iretd		3_2_00007FFD9B7900C1

Source: XSLHv0kxy7.exe

Static PE information: section name: .text entropy: 7.90058172087949

Source: BLACKSUPER X.exe.0.dr, 6y6fTLfdmw.cs	High entropy of concatenated method names: 'r1pE7cxAi3', 'leUKedZ8We', 'f1y2ifNPgq', 'bWirCDm5tCoJAueejbZUoAml9i3IX6hhOHcRw8Ni3dmKHQ2uplSY9PX1oxTTtSItxtqLvnNfCUPpp', 'Ufm2NbBWFFUJluMp1pQ7', '_1IfTyBLLBGCPGzQjdLJ7', 'Bow0iJ0WkmQmLKCzmfrf', 'viXhBtxHrSIWsh6BsCWH', 'N4Hg7Akgr7RQbYxVdIvS', 'oFCWSJmO6zWON5T7JNvw'
Source: BLACKSUPER X.exe.0.dr, HGK41wUbpnbAJKkqXT5m1RUGLtrCjERgv4S3U45gom3hlGxjzKRGYtj72FjsSjZ4BP7SDymwVtxo2pnQrh.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZwN4yuWNRde3fqG8wbmCi241tDr', 'xhgKOfLcxuNWikE7Z4i8y6Mud81', 'AID4WqfPr1DUu8TJuHvjLWkm4lM', 'NUm2yOsuOyb9yhggxzlRONTzVn3'
Source: BLACKSUPER X.exe.0.dr, ErDSEmjKOU.cs	High entropy of concatenated method names: '_85jw7v8ahg', 'pqbOR3hCLygYVdNL7vbNnmUUT8V1ULI0oOAcaJsFduBHBu6zYETViqVIMe5h', '_35xXSt1vBIliGX7KrzW4HoRwGXasNzmWPjO0fYQoVySp84SvcVgR5NBChApE', 'bwR1ZQ4yhHjNRGLnQgxESC07ECdQpu4PqRNJK0AYp6QOqnOfe4jefE11pTGq', 'Wh247KdpiQv4UUVEPozh7kULebWztqasCKxBJvSzdNV4kxyxfYXLUyGTOMz1'
Source: BLACKSUPER X.exe.0.dr, GUgccjJtjJ.cs	High entropy of concatenated method names: '_5BuAtO1BOY', 'e59VesoClT', 'Mrb22HR30q', 'ctbCX7z6KO', 'SoGW4iJen1', 'huexvCvWye', 'wjUywfnS3E', 'UIrPwhbo6o', 'mZ4RUgPZM6', 'dT2Fzruxk2'
Source: BLACKSUPER X.exe.0.dr, tpDAhG0zUl.cs	High entropy of concatenated method names: 'EPw49eRJh5', 'se8fVe7jL8', 'XBaVO5EGTW', 'R5BPXXXfsU', 'UajYYsAZEA', 'rJZGYY0taE', '_4MzPbwUjeC', '_3skLWU8FHH', 'ZWft8eomYs', 'Hq7h9DJ9wv'
Source: BLACKSUPER X.exe.0.dr, P2Vqq9xwoV.cs	High entropy of concatenated method names: 'ORvjTTLwKq', 'mTYkfW3UWB', 'gnlBzsfBeV', 'veqXNgWGfk', 'TkAgxOp7OKlAyqYvvs2v8CubsxYb6AMivnnZU4u6TUdjq', 'Dyj528U9STg0sVox3191SsGkv8KnqVvQBlQu0FCBycp2T', 'StMlnb7c4Z9xV3mTCQQZJRXkXUxr5MYVSzIC3pm4qmUNv', 'psD1EP5HV49xlYVAinlNxSuKMSHVjwkTVbQcoxCvUM0gG', 'Y3vZqIeQQQ0hBXYPvWQF7OLGnW51wTezDYH5xn2bFrYA9', 'jShWleb5BLHS2pu2fN2Wsxu7OObfm5jscXvUZilt7dMKh'
Source: BLACKSUPER X.exe.0.dr, dbUysTjE0ENnFMBRDntG94GeNuwRYMkducDkPzxsgNXNaovfgGmW810rO1JUq62gGg8g.cs	High entropy of concatenated method names: 'TIbCNkcYyxuH9eL0ReWeGjNJcsx1YCanlAadyCevWS0cFYBR1K3JB99P2PWaqGuYuSQP', 'zX0ekSmTMBfTkaj40b69wGiz5GEL9OBvkgeCXZ5JerZZGeq66pXcr5ZRhU2pyJasygOA', '_30YJyjl2hLsQcB63fpcumhMkh45NyIXa5EWMXB5IdS0PZKQjr6PId7zOTyBBt3oe2FDc', 'FLLwHzwPXN6GglZILDJyjnoXDvBjiH04eB5UVh0zhcLGHnZ0gy3cHW2NrrMNnUp8tzzD', '_68o6uFW7msbGoUvfIbGEJKd1thvuaQVejXQVJOLtC3wVAzDwzF4zkaNUNykGJyd8kUUr', '_9H5NEYXIU8hWslae1Mgr5S3nhYTjkaYRdS1uchi46XZ64x8foVJHf4cllmXTv6uHIgVC', 'ElKXm4mN3IChSqVCnzICSdFgQG1NW12uAo6fYv44ecPOtj2S1X2ojuEb8g8Ma6Dk5Wvq', 'y6SLzeOwug7tygveKfaUgTuIoXEIchFRPm1TQ9uszdnThbjCBg1IiJkDjppNcmEX4CSc', 'htEXgwEFBnsVY3em3b67LblZ3eWG6FecG3ZJzBrndm9IKj27xEApNkk0liWf1UAuRi5U', '_5y5lJS2i0ny21jqL2roNHnCj8mL9f1NcYojpF4WCd5QCYT4DN0j6Oxzsi1oH1LlOXbQF'
Source: BLACKSUPER X.exe.0.dr, HZi2QofiYG.cs	High entropy of concatenated method names: 'T4SpxDr8NY', 'ToUOouwhj2Q2kIMkNjzebcjiLsDcNYxl7Js7wE3HnKUm9', 'qA4ugixNt7zMxcx61mjLzBpKv3Qj0hMp8pgOrlL6qsQBb', 't5y7kZYLRZvx2VQxUYFlDMVOOtZ6NmMz0irQBrzqS4eSr', '_1KDw1rQLHBRmlAh25BiKNYcVR2XsIg6iSsOBqmTUdSm05'
Source: BLACKSUPER X.exe.0.dr, PY7JtnPMei.cs	High entropy of concatenated method names: 'PIzi7fb2RQ', 'Y174dhc0Sy', 'tpymlfR0lq', 'v8a2lNM4Pk', '_88UlDrGuYM', 'yuQ8kIGqru', 'SyVUy8RwjX', 'FDpj49fNfe', '_6J8O3NCmM9', 'MifUmqNUvZ'
Source: BLACKSUPER X.exe.0.dr, n3KIdyQiO9.cs	High entropy of concatenated method names: '_9WHRSclXIP', 'eo7Gv6raPY', 'IGwpVYsrCP', 'MGWe0a8cvY', 'aKsxOtSHnl', 'p8PCcdpIXJ', 'UPkVeQIWtZ', 'DmGhX3DYyb', 'W4Qp0T1L6g', 'tAVZBIkjFZ'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, 6y6fTLfdmw.cs	High entropy of concatenated method names: 'r1pE7cxAi3', 'leUKedZ8We', 'f1y2ifNPgq', 'bWirCDm5tCoJAueejbZUoAml9i3IX6hhOHcRw8Ni3dmKHQ2uplSY9PX1oxTTtSItxtqLvnNfCUPpp', 'Ufm2NbBWFFUJluMp1pQ7', '_1IfTyBLLBGCPGzQjdLJ7', 'Bow0iJ0WkmQmLKCzmfrf', 'viXhBtxHrSIWsh6BsCWH', 'N4Hg7Akgr7RQbYxVdIvS', 'oFCWSJmO6zWON5T7JNvw'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, HGK41wUbpnbAJKkqXT5m1RUGLtrCjERgv4S3U45gom3hlGxjzKRGYtj72FjsSjZ4BP7SDymwVtxo2pnQrh.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ZwN4yuWNRde3fqG8wbmCi241tDr', 'xhgKOfLcxuNWikE7Z4i8y6Mud81', 'AID4WqfPr1DUu8TJuHvjLWkm4lM', 'NUm2yOsuOyb9yhggxzlRONTzVn3'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, ErDSEmjKOU.cs	High entropy of concatenated method names: '_85jw7v8ahg', 'pqbOR3hCLygYVdNL7vbNnmUUT8V1ULI0oOAcaJsFduBHBu6zYETViqVIMe5h', '_35xXSt1vBIliGX7KrzW4HoRwGXasNzmWPjO0fYQoVySp84SvcVgR5NBChApE', 'bwR1ZQ4yhHjNRGLnQgxESC07ECdQpu4PqRNJK0AYp6QOqnOfe4jefE11pTGq', 'Wh247KdpiQv4UUVEPozh7kULebWztqasCKxBJvSzdNV4kxyxfYXLUyGTOMz1'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, GUgccjJtjJ.cs	High entropy of concatenated method names: '_5BuAtO1BOY', 'e59VesoClT', 'Mrb22HR30q', 'ctbCX7z6KO', 'SoGW4iJen1', 'huexvCvWye', 'wjUywfnS3E', 'UIrPwhbo6o', 'mZ4RUgPZM6', 'dT2Fzruxk2'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, tpDAhG0zUl.cs	High entropy of concatenated method names: 'EPw49eRJh5', 'se8fVe7jL8', 'XBaVO5EGTW', 'R5BPXXXfsU', 'UajYYsAZEA', 'rJZGYY0taE', '_4MzPbwUjeC', '_3skLWU8FHH', 'ZWft8eomYs', 'Hq7h9DJ9wv'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, P2Vqq9xwoV.cs	High entropy of concatenated method names: 'ORvjTTLwKq', 'mTYkfW3UWB', 'gnlBzsfBeV', 'veqXNgWGfk', 'TkAgxOp7OKlAyqYvvs2v8CubsxYb6AMivnnZU4u6TUdjq', 'Dyj528U9STg0sVox3191SsGkv8KnqVvQBlQu0FCBycp2T', 'StMlnb7c4Z9xV3mTCQQZJRXkXUxr5MYVSzIC3pm4qmUNv', 'psD1EP5HV49xlYVAinlNxSuKMSHVjwkTVbQcoxCvUM0gG', 'Y3vZqIeQQQ0hBXYPvWQF7OLGnW51wTezDYH5xn2bFrYA9', 'jShWleb5BLHS2pu2fN2Wsxu7OObfm5jscXvUZilt7dMKh'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, dbUysTjE0ENnFMBRDntG94GeNuwRYMkducDkPzxsgNXNaovfgGmW810rO1JUq62gGg8g.cs	High entropy of concatenated method names: 'TIbCNkcYyxuH9eL0ReWeGjNJcsx1YCanlAadyCevWS0cFYBR1K3JB99P2PWaqGuYuSQP', 'zX0ekSmTMBfTkaj40b69wGiz5GEL9OBvkgeCXZ5JerZZGeq66pXcr5ZRhU2pyJasygOA', '_30YJyjl2hLsQcB63fpcumhMkh45NyIXa5EWMXB5IdS0PZKQjr6PId7zOTyBBt3oe2FDc', 'FLLwHzwPXN6GglZILDJyjnoXDvBjiH04eB5UVh0zhcLGHnZ0gy3cHW2NrrMNnUp8tzzD', '_68o6uFW7msbGoUvfIbGEJKd1thvuaQVejXQVJOLtC3wVAzDwzF4zkaNUNykGJyd8kUUr', '_9H5NEYXIU8hWslae1Mgr5S3nhYTjkaYRdS1uchi46XZ64x8foVJHf4cllmXTv6uHIgVC', 'ElKXm4mN3IChSqVCnzICSdFgQG1NW12uAo6fYv44ecPOtj2S1X2ojuEb8g8Ma6Dk5Wvq', 'y6SLzeOwug7tygveKfaUgTuIoXEIchFRPm1TQ9uszdnThbjCBg1IiJkDjppNcmEX4CSc', 'htEXgwEFBnsVY3em3b67LblZ3eWG6FecG3ZJzBrndm9IKj27xEApNkk0liWf1UAuRi5U', '_5y5lJS2i0ny21jqL2roNHnCj8mL9f1NcYojpF4WCd5QCYT4DN0j6Oxzsi1oH1LlOXbQF'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, HZi2QofiYG.cs	High entropy of concatenated method names: 'T4SpxDr8NY', 'ToUOouwhj2Q2kIMkNjzebcjiLsDcNYxl7Js7wE3HnKUm9', 'qA4ugixNt7zMxcx61mjLzBpKv3Qj0hMp8pgOrlL6qsQBb', 't5y7kZYLRZvx2VQxUYFlDMVOOtZ6NmMz0irQBrzqS4eSr', '_1KDw1rQLHBRmlAh25BiKNYcVR2XsIg6iSsOBqmTUdSm05'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, PY7JtnPMei.cs	High entropy of concatenated method names: 'PIzi7fb2RQ', 'Y174dhc0Sy', 'tpymlfR0lq', 'v8a2lNM4Pk', '_88UlDrGuYM', 'yuQ8kIGqru', 'SyVUy8RwjX', 'FDpj49fNfe', '_6J8O3NCmM9', 'MifUmqNUvZ'
Source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, n3KIdyQiO9.cs	High entropy of concatenated method names: '_9WHRSclXIP', 'eo7Gv6raPY', 'IGwpVYsrCP', 'MGWe0a8cvY', 'aKsxOtSHnl', 'p8PCcdpIXJ', 'UPkVeQIWtZ', 'DmGhX3DYyb', 'W4Qp0T1L6g', 'tAVZBIkjFZ'

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	File created: C:\Users\user\AppData\Local\Temp\P00LCUE.exe			Jump to dropped file
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	File created: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe			Jump to dropped file

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: XSLHv0kxy7.exe, 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, BLACKSUPER X.exe, 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, BLACKSUPER X.exe.0.dr	Binary or memory string: SBIEDLL.DLL7V6VVHQ9EQASUJLXXJ932N5VFGVG7PMCLHKZALDQVDVPW86BGPH30YU97PJHUR5CD7LCYXXMMAOIBMMNAVOE7OAMSEHNBYKMXKEM1CLYAZXZHG4Q7YIBBPLBZGF68EMVUBNO3GTC8ZVV7OZEVCBMFDMVSTGKKJ2XVB2YHMKW78ZP4ZSIC2OHLEPL9XKUETGOFBOL73TSKLOBRGGUFBINRCIZEMYP2UHY72HKZ4IU9P090FBRZJDQICPFFPGH7ZLRBGUMG2VNUHYTUIWEYOKNPLTP7L3DEMEYE9CO99YM3DNQWYHKGTBX7TQOAY8JGBHXRCUN5EVCLCQFC4SE7F6OJ7K25SSWZRCPD3PGVEYK3KMI7AZVK5K2ZM0KYARFROZWZJ3VXIMNINFO

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Memory allocated: 1AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Memory allocated: 1090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Memory allocated: 1AC10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe TID: 7488

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Code function: 1_2_00007FF620372340 GetSystemInfo,VirtualQueryEx,memset,ReadProcessMemory,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,

1_2_00007FF620372340

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BLACKSUPER X.exe, 00000003.00000002.1999322026.000000001BAC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: BLACKSUPER X.exe.0.dr	Binary or memory string: vmware
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Code function: 3_2_00007FFD9B797A81 CheckRemoteDebuggerPresent,

3_2_00007FFD9B797A81

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Code function: 1_2_00007FF62037740C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF62037740C

Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF6203775B4 SetUnhandledExceptionFilter,	1_2_00007FF6203775B4
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF620376F68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF620376F68
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Code function: 1_2_00007FF62037740C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF62037740C

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process created: C:\Users\user\AppData\Local\Temp\P00LCUE.exe "C:\Users\user\AppData\Local\Temp\P00LCUE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Process created: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe "C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe	Queries volume information: C:\Users\user\Desktop\XSLHv0kxy7.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Code function: 1_2_00007FF620377628 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF620377628

Source: C:\Users\user\Desktop\XSLHv0kxy7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.0.BLACKSUPER X.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2fbf170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2f90c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1998540533.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XSLHv0kxy7.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BLACKSUPER X.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.0.BLACKSUPER X.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2fbf170.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2fbf170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.XSLHv0kxy7.exe.2f90c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1998540533.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: XSLHv0kxy7.exe PID: 7468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BLACKSUPER X.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	441 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Obfuscated Files or Information	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
XSLHv0kxy7.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.XWormRAT
XSLHv0kxy7.exe	100%	Avira	TR/Dropper.Gen
XSLHv0kxy7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe	92%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Local\Temp\P00LCUE.exe	11%	ReversingLabs

Source	Detection	Scanner	Label	Link
185.84.161.66	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.84.161.66	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://keyauth.win/api/1.2/k	P00LCUE.exe, 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmp	false	high
http://upx.sf.net	Amcache.hve.8.dr	false	high
https://keyauth.win/api/1.2/y	P00LCUE.exe, 00000001.00000002.1836572125.00000203B8FEC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://keyauth.win/api/1.2/	P00LCUE.exe, P00LCUE.exe, 00000001.00000002.1836572125.00000203B8FEC000.00000004.00000020.00020000.00000000.sdmp, P00LCUE.exe, 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmp	false	high
http://ip-api.com	BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, BLACKSUPER X.exe, 00000003.00000002.1998540533.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557205
Start date and time:	2024-11-17 19:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XSLHv0kxy7.exe renamed because original name is a hash value
Original Sample Name:	310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/9@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XSLHv0kxy7.exe, PID 7468 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: XSLHv0kxy7.exe

Simulations

Behavior and APIs

Time	Type	Description
13:22:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	dkKMw0OlZ9.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	program.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	skuld.exe	Get hash	malicious	Skuld Stealer	Browse	ip-api.com/line/?fields=hosting
	SolaraBostrappers.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	svhost.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	Midnight.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	exe030.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	dkKMw0OlZ9.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	208.95.112.1
	program.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	skuld.exe	Get hash	malicious	Skuld Stealer	Browse	208.95.112.1
	SolaraBostrappers.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	svhost.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	Midnight.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	exe030.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	oaUNY8P657.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IAdjMfB2A5.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	dkKMw0OlZ9.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	208.95.112.1
	program.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	skuld.exe	Get hash	malicious	Skuld Stealer	Browse	208.95.112.1
	SolaraBostrappers.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	svhost.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	Midnight.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	exe030.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BLACKSUPER X.exe_175f8be7b2927dcfe564353a4b63bca3ee77699a_64f3a80a_ae410ffc-cda7-44d4-9675-dd62bff63721\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.215040530468481
Encrypted:	false
SSDEEP:	384:p8aQcY6DL/NxMymca48ihxPzuiFhY4lO8e/G:uqNxMga45zuiFhY4lO8
MD5:	FB4D4F6CBED306714D134693580C12CF
SHA1:	067BCBB629C7BB64E1E801249F52D500B39BCAC0
SHA-256:	8AA3D28BA44FCA72E36798BCFE076E7A78E1626CF9336CA1A2DA5AC42D7FC37A
SHA-512:	B66053ABA457EE2C916CA9298AE1AC493B8572EA9DBC5FCCBA7F723676A88FB85E4165CEFA884B02510F84A9D113DD49AC652B4033BF97EA7A936AF70A779899
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.3.4.1.3.3.2.8.4.7.4.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.3.4.1.3.3.3.5.1.9.2.7.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.4.1.0.f.f.c.-.c.d.a.7.-.4.4.d.4.-.9.6.7.5.-.d.d.6.2.b.f.f.6.3.7.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.6.2.a.0.0.0.-.7.c.a.4.-.4.e.8.5.-.9.6.c.4.-.2.4.b.3.f.c.c.c.e.b.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.L.A.C.K.S.U.P.E.R. .X...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.L.A.C.K.S.U.P.E.R. .X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.8.-.0.0.0.1.-.0.0.1.4.-.6.d.d.5.-.e.f.9.7.1.d.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.e.1.c.b.d.4.4.b.2.9.e.a.7.e.9.f.4.6.2.c.f.f.4.b.c.2.5.d.2.9.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.5.b.5.9.d.6.c.3.c.3.8.2.2.9.5.d.5.d.5.f.e.d.1.a.e.d.0.4.3.4.2.a.7.a.b.7.f.2.e.!.B.L.A.C.K.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5045.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Nov 17 18:22:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	452363
Entropy (8bit):	3.0627863667152173
Encrypted:	false
SSDEEP:	3072:8ml12OU3cSJk91CCqeXw3+vrmtHsMff4bRkjXZ4NPyvjPZuIQK8:8M11+J+qeXw3QrmtHsMGoMmsb
MD5:	FC733299D947576D90A679FFED746769
SHA1:	8DAD7613B67AFF8B4DFE0E9EAEC45E51161EABBB
SHA-256:	267D361B5D743F679A1FA6642BB05CAFC89521D0D3B095DD090A6F454D8EF7E1
SHA-512:	B07DAE2A2DEE31580CCE224D172E463CAC55026A730AB9928D55600858F5BEA3E13A7625B7DE46D8B464785C4AFF35D5A307BDDC8008301CE6E5F97BDC4D4613
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......U4:g........................d...........<...X(...........(.......7..\...........l.......8...........T............A..3............6...........8..............................................................................eJ......09......Lw......................T...........H4:g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER520B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6750
Entropy (8bit):	3.727914494515263
Encrypted:	false
SSDEEP:	192:R6l7wVeJUlmrYZiMULpDp89bDrLxff0JBm:R6lXJUkrYoMU4DJfL
MD5:	EC936D318ADB9D2F3213C7054786D542
SHA1:	F01165771E1F29F89DAB2B4AFAD0617B8565D13F
SHA-256:	C3731465866ECD8A4FD5CD5EB967A883E221D62EB3203995077FCE49C2C19750
SHA-512:	99EB3D35936713D6D8931C5DCE420F0612DA049E247759D95F5010F5AF43DCDB54824C6F468CDDB38E0A5DB28B6A0E92FE85BB2BC08AC49F14CCFC10A92F9638
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER523B.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4779
Entropy (8bit):	4.487575836180753
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg771I93sWpW8VYqYm8M4J+FwZFPFYyq8vEwZF1GIYhYtpd:uIjfEI7sF7VeJoWHG7Wvd
MD5:	5E1B5FE35044F96BC22A1CA72717C091
SHA1:	4E8C7641A8658EFB2E3459A2B63FFE112735AE25
SHA-256:	E8677C31918E205466C7B59699604DDDD17A0F95CE17E32E9F15E8FE02479FB1
SHA-512:	9956D2D146DCE78231FDB045CF84865749667EB5F88CAF605DB807D9CDFF6B9DDF1DFEEA7B654A141B2B3A7C02610BC1F5CCCB8B9DC2CD88D16673C1748E4C83
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="592404" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XSLHv0kxy7.exe.log

Download File

Process:	C:\Users\user\Desktop\XSLHv0kxy7.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Download File

Process:	C:\Users\user\Desktop\XSLHv0kxy7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	5.859722703433308
Encrypted:	false
SSDEEP:	1536:QzUaGOQZnchasDspc1hnVmbjlLXa36tgOwB7nZXiR:TaGXZyDZ7IbjVazOwB7nZSR
MD5:	2D58B179EC133F1016A2496A96C5DA20
SHA1:	F5B59D6C3C382295D5D5FED1AED04342A7AB7F2E
SHA-256:	EA9C924BD79E33535B8D6537DA0A320CE89D6700697173397BB0A31341831A1B
SHA-512:	486E8248F14D721519BD3701D8DFAF6B8E5AF2BCE02825FAC078402C5AC4A1CEFF72AF2C36EB3A5C3006AAEF0EB00AE8B2289D5A2B8B149E50E7BC7E2BAD5ABC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n7g............................>... ...@....@.. ....................................@..................................)..K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ ......H........b..........&.....................................................(.....r...p. E/....(.....r...p. .O...s.........s.........s.........s..........rO..p.r...p. O....r...p. .(T..r...p. m.>..r/..p. .5...((....r5..p. S....rm..p. S.v..(+...-.(,...,.+.(-...,.+.(...,.+.()...,..(Z..."(....+.&(....&+..+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-..r...p. p{..r...p. .8..r%..p. V....r]..p. ....r...p.r...p. W...r...p. .....r=.

C:\Users\user\AppData\Local\Temp\P00LCUE.exe

Download File

Process:	C:\Users\user\Desktop\XSLHv0kxy7.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.853090791523441
Encrypted:	false
SSDEEP:	768:oaor32HL2sMiOhADu7zMkO18wH+XvlMJEdAz6NMxYPDufZDyc3C:o7r3eL2sMipuHMkA8mEdAz6NMyPDurC
MD5:	82389ACF1B04E8442FDAFA7C49C29A97
SHA1:	573BBC1861498616A8FE79762DE0FE3441E0AB21
SHA-256:	70EF677A281065331F49877743D7674891CCB1E63023FBC17E4D6C2E9F28B27A
SHA-512:	4D87D48265510DA16FD22920BBBC4476278E1991B62584C320B020D53DCD7CA9B718D9F10750F63B25DF1A741EF10369DA013E880A3D979EF3FAFF9332FD3EB1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................e.....,......,......,......,..................-.....-......a....-.....Rich...........................PE..d....y.f.........."....).p...Z......Po.........@..........................................`.................................................4...,...............P...................p...p...........................0...@............... ............................text...3o.......p.................. ..`.rdata...?.......@...t..............@..@.data...............................@....pdata..P...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465625745042789
Encrypted:	false
SSDEEP:	6144:NIXfpi67eLPU9skLmb0b4vWSPKaJG8nAgejZMMhA2gX4WABl0uN9dwBCswSby:eXD94vWlLZMM6YFH7+y
MD5:	AB72C17267E8A6CF851D9F1B5CD76F8D
SHA1:	1E5F4690F797208DC426B4D53C2C8BA459E66ECD
SHA-256:	A8B1EB254E74D92FBFB14169B807F509FFDA938186A3B8C8B04BB78403ED45F4
SHA-512:	D127A4BF16430F8CCAF1818CFB4F5E624BB9B3A29324CA1A2958C454841E892705CA9A72726900EFB38B1D3B7C15B69472419059F9E132D17EC4604C359E2FFD
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..M..9................................................................................................................................................................................................................................................................................................................................................Z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\P00LCUE.exe
File Type:	ASCII text, with CRLF line terminators, with escape sequences
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5744976680308533
Encrypted:	false
SSDEEP:	3:rYQPERKiXRMWRElH4WUcQPERKiXRMWRElH4WUAzReOAbduNi2ov:kRKOBEOWUsRKOBEOWUMO4qv
MD5:	B102A51C7389F72A2080A67798710034
SHA1:	530B93C856901F68730D5EA4138D65A94C02A501
SHA-256:	5A65FE4F943C71CF37ADD9FF4EB0997359CA572AD26F270A86B025A5E0FE8CEB
SHA-512:	35D80ABB24FEA6CFB9619ED6A10ECAC367355CE4A0ACAD0A449FD3AF518D8FB656AAC1D60F0EC8E6CC91B9742C570463DA05BD29CC763E4C037007B94DBEE3FA
Malicious:	false
Preview:	.......... .[32mWating Prss Install to 1 - 3 min............ .[32mWating Prss Install to 1 - 3 min..Failed to open process handle...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.250216485854653
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	XSLHv0kxy7.exe
File size:	345'600 bytes
MD5:	a8bf7d1f42ce4fe13c76e01befe367fa
SHA1:	add32173cf45061d651b75f8b7ab33f86fdfbee7
SHA256:	310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8
SHA512:	eba707226d114c4405b25b627ee38ba5b2c24cf353fdafd1d78dd90c0fed5de67a2c8c0846609ad7d554306191836667f00dd896d12215fd769c6f36f0f58e2d
SSDEEP:	3072:rXjgxzi3Z80WaXjTa4X+oFM3bUiS75l/NTugUJV21KFpwqEBOrNoq98wSpvbUP:rzgxAZ82a4XrFXSlQqrR98XU
TLSH:	A27487B7A2154D43E27023F8D889F399CE5262E8EE7F8216EF713855E5C4B834D2D960
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7g.....................(.......:... ...@....@.. ....................................@................................

File Icon


Icon Hash:	6ecc6960e50b06c6

Static PE Info

General

Entrypoint:	0x413a2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6737F70F [Sat Nov 16 01:36:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x139d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x4259c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x11a34	0x11c00	b4006aa40f931f8708c4265670c49bcf	False	0.9464816241197183	data	7.90058172087949	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x4259c	0x42600	dd705d9593276a726c713f2503729f5d	False	0.17605711511299435	data	5.503964324915357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0xc	0x200	cffa7d7fa67820a1766a8b98be5a86a5	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x14130	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144	0.1734251560789419
RT_GROUP_ICON	0x56158	0x14	data	0.9
RT_VERSION	0x5616c	0x244	data	0.47413793103448276
RT_MANIFEST	0x563b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 19:22:12.348366976 CET	49730	80	192.168.2.4	208.95.112.1
Nov 17, 2024 19:22:12.353372097 CET	80	49730	208.95.112.1	192.168.2.4
Nov 17, 2024 19:22:12.353471041 CET	49730	80	192.168.2.4	208.95.112.1
Nov 17, 2024 19:22:12.354667902 CET	49730	80	192.168.2.4	208.95.112.1
Nov 17, 2024 19:22:12.359549999 CET	80	49730	208.95.112.1	192.168.2.4
Nov 17, 2024 19:22:12.969088078 CET	80	49730	208.95.112.1	192.168.2.4
Nov 17, 2024 19:22:13.095652103 CET	49730	80	192.168.2.4	208.95.112.1
Nov 17, 2024 19:22:30.310548067 CET	49730	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 19:22:12.303327084 CET	51485	53	192.168.2.4	1.1.1.1
Nov 17, 2024 19:22:12.314754009 CET	53	51485	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 17, 2024 19:22:12.303327084 CET	192.168.2.4	1.1.1.1	0xe6db	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 17, 2024 19:22:12.314754009 CET	1.1.1.1	192.168.2.4	0xe6db	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7576	C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

Timestamp	Bytes transferred	Direction	Data
Nov 17, 2024 19:22:12.354667902 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 17, 2024 19:22:12.969088078 CET	174	IN	HTTP/1.1 200 OK Date: Sun, 17 Nov 2024 18:22:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	0
Start time:	13:21:57
Start date:	17/11/2024
Path:	C:\Users\user\Desktop\XSLHv0kxy7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\XSLHv0kxy7.exe"
Imagebase:	0xc10000
File size:	345'600 bytes
MD5 hash:	A8BF7D1F42CE4FE13C76E01BEFE367FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1715918741.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:22:00
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Local\Temp\P00LCUE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\P00LCUE.exe"
Imagebase:	0x7ff620370000
File size:	50'176 bytes
MD5 hash:	82389ACF1B04E8442FDAFA7C49C29A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:22:00
Start date:	17/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:22:00
Start date:	17/11/2024
Path:	C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe"
Imagebase:	0x950000
File size:	71'168 bytes
MD5 hash:	2D58B179EC133F1016A2496A96C5DA20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1713951503.0000000000952000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1998540533.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:22:00
Start date:	17/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff680390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:22:00
Start date:	17/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff680390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:22:12
Start date:	17/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7576 -s 1684
Imagebase:	0x800000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD9B780A21 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716591201.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_XSLHv0kxy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b9dcacd6202acf8897aec52e583d270ffc4c8d944e7e1b6a9c6a287eaa3f29
Instruction ID: 6bf6da3897f0ae172e2c4d49796985f46ee67a6342a7709ba6ca7c962df5f20b
Opcode Fuzzy Hash: 99b9dcacd6202acf8897aec52e583d270ffc4c8d944e7e1b6a9c6a287eaa3f29
Instruction Fuzzy Hash: 78D16330B19A1D4FDBA8EF68D4A8ABA73E1FF54712B114679E41EC71E5CE34A8418740

Function 00007FFD9B7812D2 Relevance: 3.3, Strings: 2, Instructions: 836COMMON

Download Yara Rule

Strings

_Q^, xrefs: 00007FFD9B7812F4
U, xrefs: 00007FFD9B78150A

Memory Dump Source

Source File: 00000000.00000002.1716591201.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_XSLHv0kxy7.jbxd

Similarity

API ID:
String ID: U$_Q^
API String ID: 0-3831296343
Opcode ID: d6f921ec4948ccdc75a9241b8e82b339d3c48e038be59617f45bf4ed9784943a
Instruction ID: 9b8d1e0955e6a401e1216dc159fedaa74dd26876b95763f7c5b217a8b260bea5
Opcode Fuzzy Hash: d6f921ec4948ccdc75a9241b8e82b339d3c48e038be59617f45bf4ed9784943a
Instruction Fuzzy Hash: FCC10951B1DE894FE7A89F7C48A97A87BD1EF98311F0502BAE04DC36E7DE3468418341

Function 00007FFD9B7804B2 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716591201.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_XSLHv0kxy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f923b06fc0b90e2bd6d07e34de9e7ad8c5f4764bf9382789112d8b2ffba3441
Instruction ID: 60723162f13c8059590566cfb231d66d92e86f70cbc9e7c3622c0c6fd5b5603c
Opcode Fuzzy Hash: 1f923b06fc0b90e2bd6d07e34de9e7ad8c5f4764bf9382789112d8b2ffba3441
Instruction Fuzzy Hash: AE413551F0FFC69FE32557B848799697B90BF22B21B0A42BAC0AC470F3CD29A5058351

Function 00007FFD9B7804A8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716591201.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_XSLHv0kxy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c720d0ca38ee2deaf5163dc4f6cbea4d8bd5e097309bb7b57e562df567d3e2fc
Instruction ID: 7c5b8bbf1815370086ccc56e2345c2ee2486345f98368360782501c86fb15a70
Opcode Fuzzy Hash: c720d0ca38ee2deaf5163dc4f6cbea4d8bd5e097309bb7b57e562df567d3e2fc
Instruction Fuzzy Hash: 6AA1E821B19E494FE798DF6C48A97B9B7D1EF9C311F050279E04EC32E6DE74A8418341

Function 00007FFD9B78109E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716591201.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_XSLHv0kxy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31cc9301fca081da36ceeb9cbc168f6fbd6349a5f29e5b126b8c301543d499e
Instruction ID: bbbed9df2ddcba3ebb072479f8775ca5d068e14ac9514438c53ae6806b263398
Opcode Fuzzy Hash: b31cc9301fca081da36ceeb9cbc168f6fbd6349a5f29e5b126b8c301543d499e
Instruction Fuzzy Hash: 12E06502F59C4D0BE794A9AC68E66B863C2DBDC225B51427AD15EC339AEC285C824782

Function 00007FFD9B7809E6 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716591201.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b780000_XSLHv0kxy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5b7798e31fd065035decac5f210c6d810b174027aeb542add07ad4d3e0fc8f
Instruction ID: c1a33cd49ad0312530de73dee7a876fdf47052476410a74274e61a1b10e0d713
Opcode Fuzzy Hash: bc5b7798e31fd065035decac5f210c6d810b174027aeb542add07ad4d3e0fc8f
Instruction Fuzzy Hash: C1E0CD20B18D1507EB88F51C6461D7D77C1DB84754F440564F80DD32D5DD189B8143C1

Analysis Process: P00LCUE.exePID: 7552, Parent PID: 7468COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.6%
Total number of Nodes:	811
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF6203741C0 Relevance: 77.3, APIs: 33, Strings: 11, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00007FF6203741F5
GetConsoleWindow.KERNELBASE ref: 00007FF6203741FE
ShowWindow.USER32 ref: 00007FF620374209
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF620374216
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF620374223
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF620374230
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF62037423D
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF62037424A
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF620374257
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF620374264
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF620374271
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037427E
SetConsoleTitleA.KERNEL32 ref: 00007FF62037428B
GetStdHandle.KERNEL32 ref: 00007FF620374296
GetWindowLongW.USER32 ref: 00007FF6203742A7
SetWindowLongW.USER32 ref: 00007FF6203742BD
GetCurrentConsoleFontEx.KERNELBASE ref: 00007FF6203742D3
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6203742E9
SetCurrentConsoleFontEx.KERNELBASE ref: 00007FF6203742FF
memcpy.VCRUNTIME140 ref: 00007FF620374367

Part of subcall function 00007FF620376A40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62037575C,?,?,?,?,?,?,?,00007FF6203711CF), ref: 00007FF620376A5A

memcpy.VCRUNTIME140 ref: 00007FF6203743B7
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203743EF
_Thrd_detach.MSVCP140 ref: 00007FF620374419
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620374467
_Thrd_detach.MSVCP140 ref: 00007FF620374489
Beep.KERNELBASE ref: 00007FF6203744AC
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203744B4
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6203744C0
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6203744D0
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6203744DC
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6203744EC

Part of subcall function 00007FF6203763C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF620376449

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620374573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037457A

Strings

C:\ProgramData\left.json, xrefs: 00007FF620374250
C:\ProgramData\right.json, xrefs: 00007FF620374243
C:\ProgramData\frontvar.json, xrefs: 00007FF62037425D
Bat Aimbot Head* | c05974, xrefs: 00007FF620374284
C:\ProgramData\counter1.json, xrefs: 00007FF62037420F
cls, xrefs: 00007FF620374277
C:\ProgramData\counter2.json, xrefs: 00007FF62037421C
C:\ProgramData\back.json, xrefs: 00007FF620374236
Lucida Console, xrefs: 00007FF6203742D9
C:\ProgramData\front.json, xrefs: 00007FF620374229
C:\ProgramData\5555.json, xrefs: 00007FF62037426A

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: remove$ConsoleWindow$Cpp_error@std@@Throw_$CurrentFontLongThrd_detach_beginthreadexmemcpy$BeepConcurrency::cancel_current_taskHandleShowTitle_invalid_parameter_noinfo_noreturnexitmallocsystemterminatewcscpy_s
String ID: Bat Aimbot Head* | c05974$C:\ProgramData\5555.json$C:\ProgramData\back.json$C:\ProgramData\counter1.json$C:\ProgramData\counter2.json$C:\ProgramData\front.json$C:\ProgramData\frontvar.json$C:\ProgramData\left.json$C:\ProgramData\right.json$Lucida Console$cls
API String ID: 116377887-3169833497
Opcode ID: 4b4673ac1a6a2a8122306d394406ef5521440b307d1b85bdbff05972462019b6
Instruction ID: 78ea0034cf1ec9a4b1d2c79f9dfda3be2ff1bc6f59044430755790fa174fd428
Opcode Fuzzy Hash: 4b4673ac1a6a2a8122306d394406ef5521440b307d1b85bdbff05972462019b6
Instruction Fuzzy Hash: 78B12931A48B43E6EF009B65EC942B933A1FB44B59F504139DA4D9ABB4DF3CE459C342

Function 00007FF620373D50 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373D88

Part of subcall function 00007FF620372AF0: memset.VCRUNTIME140 ref: 00007FF620372B4D
Part of subcall function 00007FF620372AF0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF620372BE3
Part of subcall function 00007FF620372AF0: ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372C64
Part of subcall function 00007FF620372AF0: ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DB4
Part of subcall function 00007FF620372AF0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DBE

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373E73
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373ECA
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF620373EE8
_Thrd_id.MSVCP140 ref: 00007FF620373EEF
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF620373EFF
_Thrd_join.MSVCP140 ref: 00007FF620373F15
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF620373F24
Beep.KERNELBASE ref: 00007FF620373F3A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373F47
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373FB4
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF620373FF0
_Thrd_id.MSVCP140 ref: 00007FF62037403A
_Thrd_join.MSVCP140 ref: 00007FF620374056
Beep.KERNELBASE ref: 00007FF62037407A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203740DB
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203740E2
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6203740F2
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF6203740FE
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF62037410A
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF620374116
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037411D

Strings

cls, xrefs: 00007FF620373D81

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$D@std@@@std@@U?$char_traits@$terminate$BeepThrd_idThrd_joinV01@_beginthreadex_invalid_parameter_noinfo_noreturn$??1?$basic_ios@??1?$basic_istream@??1?$basic_streambuf@??6?$basic_ostream@V01@@memsetsystem
String ID: cls
API String ID: 2572847691-3046418502
Opcode ID: fb89758caaaf456a37bb13b8334d2eb496e7ea3377e6fdc09af4e1c5fcdc1fc0
Instruction ID: 1a80bc908520462539cd3e1b4ff6e2c83bb223360c5c0dd86db950090901dace
Opcode Fuzzy Hash: fb89758caaaf456a37bb13b8334d2eb496e7ea3377e6fdc09af4e1c5fcdc1fc0
Instruction Fuzzy Hash: 85B17B32E58A43E6FF408F64DC942B833A1FB44799F444639DA4D9ABA4DF3CA594C342

Function 00007FF620373A40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6203725B0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6203725E6
Part of subcall function 00007FF6203725B0: Process32FirstW.KERNEL32 ref: 00007FF6203725FF
Part of subcall function 00007FF6203725B0: Process32NextW.KERNEL32 ref: 00007FF620372708
Part of subcall function 00007FF6203725B0: CloseHandle.KERNELBASE ref: 00007FF620372719

OpenProcess.KERNEL32 ref: 00007FF620373A68
MessageBoxA.USER32 ref: 00007FF620373A89
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373B98
_wcsdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF620373BFE
CreateProcessW.KERNEL32 ref: 00007FF620373C35
WaitForSingleObject.KERNEL32 ref: 00007FF620373C49
CloseHandle.KERNEL32 ref: 00007FF620373C54
CloseHandle.KERNEL32 ref: 00007FF620373C5F

Strings

h, xrefs: 00007FF620373BAF
Error, xrefs: 00007FF620373A79
attrib +h +s C:\ProgramData\counter1.json, xrefs: 00007FF620373BBF
Failed to open process., xrefs: 00007FF620373A80

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: CloseHandle$CreateProcessProcess32$FirstMessageNextObjectOpenSingleSnapshotToolhelp32Wait_invalid_parameter_noinfo_noreturn_wcsdup
String ID: Error$Failed to open process.$attrib +h +s C:\ProgramData\counter1.json$h
API String ID: 1658151911-3760130278
Opcode ID: 79edc0471b3ca79d2d22e00f766fcc51eb3aa554bc22d94dde445eb4fc966af8
Instruction ID: 7726db74b61301c0ea461a5ba0ab2a23e20e71a0961291605dc61662d905825a
Opcode Fuzzy Hash: 79edc0471b3ca79d2d22e00f766fcc51eb3aa554bc22d94dde445eb4fc966af8
Instruction Fuzzy Hash: 52516122A58B83D1EE60CB10EC803B9B360FF85794F104239DAAD8ABB4DF7CD0848701

Function 00007FF6203725B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6203725E6
Process32FirstW.KERNEL32 ref: 00007FF6203725FF
Process32NextW.KERNEL32 ref: 00007FF620372708
CloseHandle.KERNELBASE ref: 00007FF620372719
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037278E
CloseHandle.KERNEL32 ref: 00007FF620372795

Strings

GTAProcess, xrefs: 00007FF620372610

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_invalid_parameter_noinfo_noreturn
String ID: GTAProcess
API String ID: 881181425-2175359186
Opcode ID: 2613e9da877990280d98a101d821d8fc77633f6dbc7195a9aa21fb461fbd9bf8
Instruction ID: 28304a7f9bad0b88cade59f20bcf85427114b861a23469334689c2e498bbdb8b
Opcode Fuzzy Hash: 2613e9da877990280d98a101d821d8fc77633f6dbc7195a9aa21fb461fbd9bf8
Instruction Fuzzy Hash: 6841A432B18A83E1EE508F25D88427A63A0FB45BA0F544331EAAD9BBE4DF7CD544C701

Function 00007FF620372EB0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 257
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF620372AF0: memset.VCRUNTIME140 ref: 00007FF620372B4D
Part of subcall function 00007FF620372AF0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF620372BE3
Part of subcall function 00007FF620372AF0: ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372C64
Part of subcall function 00007FF620372AF0: ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DB4
Part of subcall function 00007FF620372AF0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DBE

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620372F8F
OpenProcess.KERNEL32 ref: 00007FF620372FB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037307D
CloseHandle.KERNEL32 ref: 00007FF620373095
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF6203730F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF6203730FC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF62037310C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6203730B8

Part of subcall function 00007FF620375DD0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375E49
Part of subcall function 00007FF620375DD0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF620375E69
Part of subcall function 00007FF620375DD0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375E79
Part of subcall function 00007FF620375DD0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF620375F5C
Part of subcall function 00007FF620375DD0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF620375F63
Part of subcall function 00007FF620375DD0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF620375F70

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF62037313E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF620373170
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF62037317C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF62037318C
OpenProcess.KERNEL32 ref: 00007FF6203731D2
ReadProcessMemory.KERNEL32 ref: 00007FF6203731FC
WriteProcessMemory.KERNEL32 ref: 00007FF620373217
CloseHandle.KERNEL32 ref: 00007FF620373220
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620373282

Part of subcall function 00007FF620375DD0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF620375EC6

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF62037324E

Part of subcall function 00007FF620375DD0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF620375EEF
Part of subcall function 00007FF620375DD0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF620375F16

Strings

Address: 0x, xrefs: 00007FF6203730D3, 00007FF620373153
Found addresses:, xrefs: 00007FF62037309B
Failed to open process handle., xrefs: 00007FF620373231
Found addresses from file:, xrefs: 00007FF620373121

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V01@$??6?$basic_ostream@$V01@@$Process$_invalid_parameter_noinfo_noreturn$?good@ios_base@std@@?sputc@?$basic_streambuf@CloseHandleMemoryOpenV01@_V21@@Vios_base@1@$??1?$basic_ios@??1?$basic_istream@??1?$basic_streambuf@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@ReadV12@Writememset
String ID: Address: 0x$Failed to open process handle.$Found addresses from file:$Found addresses:
API String ID: 2046513103-2894768898
Opcode ID: 87eaca3f77154e0081f26dac1b9232eaf099f9805513264289fb7d816287bec3
Instruction ID: c6c605f99ada2574892c185717c43882f75c9b03f71df09edbc4b4a2c0e89700
Opcode Fuzzy Hash: 87eaca3f77154e0081f26dac1b9232eaf099f9805513264289fb7d816287bec3
Instruction Fuzzy Hash: 8FB17A22B59A43E5EE049B25EC842B96360FF48B98F404235DE5D9BBB9DF7CE445C302

Function 00007FF620372AF0 Relevance: 19.7, APIs: 13, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF620372B4D

Part of subcall function 00007FF6203745F0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF62037461B
Part of subcall function 00007FF6203745F0: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF62037463A
Part of subcall function 00007FF6203745F0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF62037466C
Part of subcall function 00007FF6203745F0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF620374687
Part of subcall function 00007FF6203745F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF6203746D7

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF620372BE3
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372C64
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF620372C7C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_K@Z.MSVCP140 ref: 00007FF620372C8A
??Bios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620372C9A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF620372CD6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_K@Z.MSVCP140 ref: 00007FF620372CE4
??Bios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620372CF4
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF620372D26
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DA8
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DB4
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620372DBE

Part of subcall function 00007FF620375DD0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375E49
Part of subcall function 00007FF620375DD0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF620375E69
Part of subcall function 00007FF620375DD0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375E79
Part of subcall function 00007FF620375DD0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF620375F5C
Part of subcall function 00007FF620375DD0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF620375F63
Part of subcall function 00007FF620375DD0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF620375F70

Part of subcall function 00007FF620375DD0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF620375EC6

Part of subcall function 00007FF620375DD0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF620375EEF
Part of subcall function 00007FF620375DD0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF620375F16

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@?setstate@?$basic_ios@$??1?$basic_streambuf@??5?$basic_istream@?good@ios_base@std@@?sputc@?$basic_streambuf@Bios_base@std@@V21@@Vios_base@1@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_istream@?flush@?$basic_ostream@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Init@?$basic_streambuf@Osfx@?$basic_ostream@V01@@V12@V?$basic_streambuf@memset
String ID:
API String ID: 4050549558-0
Opcode ID: 4ce6b16d2f45b11d3bcd15cb2600135273e922c64144069f1dbd649bf3c5001c
Instruction ID: 3dda0918c68ce57c12cd21761a240868273dc58bd73f0bbe7d898dfaad487884
Opcode Fuzzy Hash: 4ce6b16d2f45b11d3bcd15cb2600135273e922c64144069f1dbd649bf3c5001c
Instruction Fuzzy Hash: A991C232A58B86E5EF00DF25E8942B963A5FB84B84F904432DA4D8BB79DF7CE445C701

Function 00007FF620375DD0 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375E49
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF620375E69
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375E79
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF620375EC6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF620375EEF
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF620375F16
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF620375F5C
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF620375F63
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF620375F70

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3274656010-0
Opcode ID: afb8fbe5ce7b71b20396a5981d8b937dd4107457127f4705f9ed6d6a91a5f01e
Instruction ID: 4808d7b8084c46c647a8256f4f885edab2566dd0346390db158a2a693c58d58e
Opcode Fuzzy Hash: afb8fbe5ce7b71b20396a5981d8b937dd4107457127f4705f9ed6d6a91a5f01e
Instruction Fuzzy Hash: 69512C33A08A42D2EF648F19E9D0278A7A0FB85F95B55C531CA5E8BBB1CF79D542C301

Function 00007FF620376DD4 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF620376DFD
__scrt_release_startup_lock.LIBCMT ref: 00007FF620376E6B
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376EB9
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376EBE
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376EC6
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376ECE
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376EF0
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376F4A

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: ebbe28923bcede08e3a27573fb81dd6f09e7c3854d746f6ade6dea353e5aff33
Instruction ID: acad750eda8fe3b36d121c5cf28e39bfffb8a9b2bc37cf09f8e87cf29d332616
Opcode Fuzzy Hash: ebbe28923bcede08e3a27573fb81dd6f09e7c3854d746f6ade6dea353e5aff33
Instruction Fuzzy Hash: 7D312921A08243E2FE14AB25EDE63B92291AF45784F444439EA4DCF7F7DE2DA844C753

Function 00007FF6203745F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF62037461B
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF62037463A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF62037466C
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF620374687

Part of subcall function 00007FF620375AA0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF620375ADA
Part of subcall function 00007FF620375AA0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF620375AF7
Part of subcall function 00007FF620375AA0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF620375B20
Part of subcall function 00007FF620375AA0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF620375B6B
Part of subcall function 00007FF620375AA0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375B80

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620372B5C), ref: 00007FF6203746D7

Strings

C:\ProgramData\counter1.json, xrefs: 00007FF6203746B1

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID: C:\ProgramData\counter1.json
API String ID: 2682282330-3068170251
Opcode ID: 84097462706aecc32e92586af653c514ba0a8dae16f96084b84ad6512679cc66
Instruction ID: dfa75de56c05dfb87477543fe15fcac310eaf25e7bfef686c4d795bd4c3e57d9
Opcode Fuzzy Hash: 84097462706aecc32e92586af653c514ba0a8dae16f96084b84ad6512679cc66
Instruction Fuzzy Hash: 41213632649B82D6EF108F25E99433977A0FB49B88F448135CA4D8BB24DF3CD115C742

Function 00007FF620373970 Relevance: 10.5, APIs: 7, Instructions: 49
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6203739BA
Process32FirstW.KERNEL32 ref: 00007FF6203739D9
CloseHandle.KERNELBASE ref: 00007FF6203739E6
_Thrd_yield.MSVCP140 ref: 00007FF620373A29

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotThrd_yieldToolhelp32
String ID:
API String ID: 1362082536-0
Opcode ID: 625f585ef028860581f62ffb7b0b91156ed2cf808ef8618880c22a740702cc3c
Instruction ID: 8da103755f4c7d36761a84502c86e9e76fc6739520c229bbda6dbb023eda774b
Opcode Fuzzy Hash: 625f585ef028860581f62ffb7b0b91156ed2cf808ef8618880c22a740702cc3c
Instruction Fuzzy Hash: 3D114F21A4DA43E1EE509B15ECC823A6760FF85B90F044230DA5E9B7B4EF7CE414C702

Function 00007FF620375AA0 Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF620375ADA
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF620375AF7
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF620375B20
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF620375B6B

Part of subcall function 00007FF620375FF0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF62037601D
Part of subcall function 00007FF620375FF0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF620376037
Part of subcall function 00007FF620375FF0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF620376069
Part of subcall function 00007FF620375FF0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF620376094
Part of subcall function 00007FF620375FF0: std::_Facet_Register.LIBCPMT ref: 00007FF6203760AD
Part of subcall function 00007FF620375FF0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF6203760CC

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375B80
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF620375B97

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: b0123849ad09c8c6dbac2d140cba4555ea28f13a8cf9db0f0653b14ca7bc48ab
Instruction ID: 9aee9aa585f6b2f29b304574c25787fc8202f9d3ee8c5aab779fb230522f8cba
Opcode Fuzzy Hash: b0123849ad09c8c6dbac2d140cba4555ea28f13a8cf9db0f0653b14ca7bc48ab
Instruction Fuzzy Hash: ED314832619B82D2EF548F25A88436977E4FB89F88F040039DA8E8BB68DF7CD445C740

Function 00007FF620375FB0 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF620375FC5
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z.MSVCP140 ref: 00007FF620375FD1
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF620375FDA

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V12@$?flush@?$basic_ostream@?put@?$basic_ostream@?widen@?$basic_ios@
String ID:
API String ID: 1875450691-0
Opcode ID: 5fed25aae8678ad7777d30a029329420ffdded569f7e1ba7fe0ec57107941d23
Instruction ID: 80f0002480af22185ac7b4b40c1a4a597cf6c8c121c748c2f1fdcdb155d3d1df
Opcode Fuzzy Hash: 5fed25aae8678ad7777d30a029329420ffdded569f7e1ba7fe0ec57107941d23
Instruction Fuzzy Hash: 23D01721A84A07D2DE089F26BC940381320EF89F56B4CA430CE0F8A721CE3CD09A8210

Function 00007FF620376930 Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00007FF62037693C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203769A2

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2838785208-0
Opcode ID: adf200b88600350f25c596a182a744d6149bedc3daa09ed477a05bf7a5c0cc35
Instruction ID: 7cb1dd0054ac81609eaa7a1f903b97073dd30a2cd6395297374755e5e0a244b0
Opcode Fuzzy Hash: adf200b88600350f25c596a182a744d6149bedc3daa09ed477a05bf7a5c0cc35
Instruction Fuzzy Hash: 43019E22712687E4EE188F7598A837D6390EF05B54F144934C66D8A7A8DE3DD4908302

Function 00007FF6203768D0 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00007FF6203768DB

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: be2e5a1da491452cc0dcb22902c40c40ca7b71c38e8e308543c73ad22f2639d6
Instruction ID: 13f01669eece89f1b1cf2542da4459e435a60d239cf75baa1a6e865421e213aa
Opcode Fuzzy Hash: be2e5a1da491452cc0dcb22902c40c40ca7b71c38e8e308543c73ad22f2639d6
Instruction Fuzzy Hash: B8C08C00BA0203C2EF2527B2AC8917A13509F49B11F585034C94A8DB61CD3E84DE4B01

Non-executed Functions

Function 00007FF620373550 Relevance: 66.7, APIs: 28, Strings: 10, Instructions: 214
processwindowshutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF620373596
Process32FirstW.KERNEL32 ref: 00007FF6203735B5
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6203735C8
OpenProcess.KERNEL32 ref: 00007FF6203735DE
Process32NextW.KERNEL32 ref: 00007FF6203735F4
CloseHandle.KERNEL32 ref: 00007FF620373601
TerminateProcess.KERNEL32 ref: 00007FF620373638
CloseHandle.KERNEL32 ref: 00007FF620373641
memset.VCRUNTIME140 ref: 00007FF620373656
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF620373670
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF620373693
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6203736D3
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF6203736FC
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF620373759
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6203737AB
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203737D4
MessageBoxW.USER32 ref: 00007FF6203737F0
ShellExecuteW.SHELL32 ref: 00007FF620373820
GetCurrentProcess.KERNEL32 ref: 00007FF62037382C
OpenProcessToken.ADVAPI32 ref: 00007FF62037383F
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF620373859
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF62037388E
CloseHandle.KERNEL32 ref: 00007FF620373899
ExitWindowsEx.USER32 ref: 00007FF6203738A9
CloseHandle.KERNEL32 ref: 00007FF6203738B2
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF62037394A
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620373958
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF620373965

Strings

?????????????????.file, xrefs: 00007FF620373724
You are trying to meet the memory settings of a program that does not allow it., xrefs: 00007FF6203737E7
Anti Write Mode Kuy Hee, xrefs: 00007FF6203737B1
cmd.exe, xrefs: 00007FF620373810
Not Open 'Database.in' Write ib add, xrefs: 00007FF6203737BA
Error, xrefs: 00007FF6203737E0
Idon Crack Ver111##, xrefs: 00007FF62037376A
start ?????????????????.file, xrefs: 00007FF6203737CD
SeShutdownPrivilege, xrefs: 00007FF620373850
open, xrefs: 00007FF620373817

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$CloseHandleProcess$?setstate@?$basic_ios@OpenProcess32Token$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@AdjustCreateCurrentD@std@@@1@_ExecuteExitFirstInit@?$basic_streambuf@LookupMessageNextPrivilegePrivilegesShellSnapshotTerminateToolhelp32V?$basic_streambuf@ValueWindows_wcsicmpmemsetsystem
String ID: ?????????????????.file$Anti Write Mode Kuy Hee$Error$Idon Crack Ver111##$Not Open 'Database.in' Write ib add$SeShutdownPrivilege$You are trying to meet the memory settings of a program that does not allow it.$cmd.exe$open$start ?????????????????.file
API String ID: 2034507644-1961621723
Opcode ID: 52edc22afd46788e29417d68eb1b82b2a9841e377f9e23009e01537d21e54e6f
Instruction ID: d488d32cf31ef6625ed95e004752cdc6baed22c3e4da1261ab13d2f46229ba64
Opcode Fuzzy Hash: 52edc22afd46788e29417d68eb1b82b2a9841e377f9e23009e01537d21e54e6f
Instruction Fuzzy Hash: FFB1E832649A83E9EB608F25EC947F923A0FB49758F804035CA4D9AB64DF7CD649C702

Function 00007FF62037740C Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF620377428
memset.VCRUNTIME140 ref: 00007FF62037744C
RtlCaptureContext.KERNEL32 ref: 00007FF620377455
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62037746F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6203774B0
memset.VCRUNTIME140 ref: 00007FF6203774E3
IsDebuggerPresent.KERNEL32 ref: 00007FF620377504
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF620377521
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62037752C

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: b1236c11b624461f0c7ef87be3439e1f9dea54182dfbcaef34f954c2ef3bfa8f
Instruction ID: 7b4fca6256d7478b71c86d17fcd982eaf87db5b7ca40b72bda801b039d71c0ab
Opcode Fuzzy Hash: b1236c11b624461f0c7ef87be3439e1f9dea54182dfbcaef34f954c2ef3bfa8f
Instruction Fuzzy Hash: F5311E72608A82E6EF609F61E8803F97364FB84744F44403ADA4E9BBA5DF38D548C711

Function 00007FF620372340 Relevance: 9.2, APIs: 6, Instructions: 166COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF6203723A2
VirtualQueryEx.KERNEL32 ref: 00007FF6203723D0
memset.VCRUNTIME140 ref: 00007FF620372472

Part of subcall function 00007FF620376A40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62037575C,?,?,?,?,?,?,?,00007FF6203711CF), ref: 00007FF620376A5A

ReadProcessMemory.KERNEL32 ref: 00007FF62037249B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037259D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6203725AA

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: Concurrency::cancel_current_taskInfoMemoryProcessQueryReadSystemVirtual_invalid_parameter_noinfo_noreturnmallocmemset
String ID:
API String ID: 3069732781-0
Opcode ID: cb34571c44fe5942e95410ce4f1a72a963c569907e173b8487e5bc1318d1aaf7
Instruction ID: 1c4993a6c3df36d2a83b9e7375d9b959ebb12ec43983de95daae2e9f127cbdaf
Opcode Fuzzy Hash: cb34571c44fe5942e95410ce4f1a72a963c569907e173b8487e5bc1318d1aaf7
Instruction Fuzzy Hash: 1061B422B08A42E9FF10CB66D8943AD6360BB05BB8F544731DE6D9BBD8DE38D456C301

Function 00007FF620377628 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF620377654
GetCurrentThreadId.KERNEL32 ref: 00007FF620377662
GetCurrentProcessId.KERNEL32 ref: 00007FF62037766E
QueryPerformanceCounter.KERNEL32 ref: 00007FF62037767E

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 98ebc63e8e7b838f8adabee2691fecba1f914038a318751ce9f9c68791e0bd0c
Instruction ID: 092f8449767d1722b72c15f0c640929460aeac533b30a18cf7f9cc7ee4b2d00d
Opcode Fuzzy Hash: 98ebc63e8e7b838f8adabee2691fecba1f914038a318751ce9f9c68791e0bd0c
Instruction Fuzzy Hash: 05111822B54F02DAEF008B64EC942B933A4FB19758F441A35DA6D8ABA4DF78D1588381

Function 00007FF620374160 Relevance: 4.5, APIs: 3, Instructions: 21sleepkeyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF620374175
ShowWindow.USER32 ref: 00007FF6203741A0
Sleep.KERNEL32 ref: 00007FF6203741AB

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: AsyncShowSleepStateWindow
String ID:
API String ID: 163047062-0
Opcode ID: a1253da33624f0a2a870d5b60592e09a46fb21d2b74818bdfb0dc3164c7be4c2
Instruction ID: 733f0a759aa0fa04d6cff3e134e77f925a3ef9193a6439d6ca1e1b2a2c03c155
Opcode Fuzzy Hash: a1253da33624f0a2a870d5b60592e09a46fb21d2b74818bdfb0dc3164c7be4c2
Instruction Fuzzy Hash: D1E0E525E1C683E2FF296B70AC847752B61AFA5751F484479C44A8E7B1CF2CB8898353

Function 00007FF6203775B4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fba25a1d03ca5eddeea96f8393d94adc68f531d0f073cb6f3ca71fd16ae7a5c
Instruction ID: 095f5a16d03af5e024e29c62f8b3bdb57217e3e5e7bbc7bd7f57190a27f4bdcd
Opcode Fuzzy Hash: 3fba25a1d03ca5eddeea96f8393d94adc68f531d0f073cb6f3ca71fd16ae7a5c
Instruction Fuzzy Hash: 0CA0022194CC03F4EE048B00EDD05312B71EB51314B4104B1C00ED96B09F3CA54CC313

Function 00007FF6203727B0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6203727F4
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF620372809
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF620372828
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF62037285C
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF62037287B

Part of subcall function 00007FF620375AA0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF620375ADA
Part of subcall function 00007FF620375AA0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF620375AF7
Part of subcall function 00007FF620375AA0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF620375B20
Part of subcall function 00007FF620375AA0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF620375B6B
Part of subcall function 00007FF620375AA0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF620375B80

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6203728C9
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6203728F4
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF62037291F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF62037292B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF62037293B
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF620372972
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6203729E4
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6203729F0
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6203729FA

Strings

C:\ProgramData\counter1.json, xrefs: 00007FF62037289A
Waiting for write, xrefs: 00007FF6203728D7

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$?setstate@?$basic_ios@Init@?$basic_streambuf@V01@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@D@std@@@1@_Fiopen@std@@U_iobuf@@V01@_V21@@V?$basic_streambuf@Vios_base@1@Vlocale@2@_get_stream_buffer_pointersmemset
String ID: C:\ProgramData\counter1.json$Waiting for write
API String ID: 375129124-28146409
Opcode ID: 41d7566dca92f02f6cdac18ab6ccbb847dcd6e63207f2140d33552f548b17bd3
Instruction ID: d9dc36a3d18be2f3a6672d3947068148a0815b131a786c9d718179083d7db0f5
Opcode Fuzzy Hash: 41d7566dca92f02f6cdac18ab6ccbb847dcd6e63207f2140d33552f548b17bd3
Instruction Fuzzy Hash: ED715D32A28A82E5EF50CB25E8902B97760FB84B94F455036EA4E97B78DF3CD545CB01

Function 00007FF620376450 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 295COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF62037645B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037665C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF620376663
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF620376670
memcpy.VCRUNTIME140 ref: 00007FF62037678F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6203767FD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62037680A

Strings

vector too long, xrefs: 00007FF620376454

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn$Xlength_error@std@@memcpyterminate
String ID: vector too long
API String ID: 4149089811-2873823879
Opcode ID: ea958d05045275d7f9a7e3a9ac66b69cf396e81ccf1322296ab9389c8f4e2d36
Instruction ID: a9ca39e320789f5244ffc16f0b320e9717bfa0de8c3c6097da85a4dfca738207
Opcode Fuzzy Hash: ea958d05045275d7f9a7e3a9ac66b69cf396e81ccf1322296ab9389c8f4e2d36
Instruction Fuzzy Hash: 59A1C362B09B87E1EE14CB25D9A42BC2360EB45BE4F548635DA6D8B7E5DF3CE091C301

Function 00007FF620374CA0 Relevance: 10.7, APIs: 7, Instructions: 177COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF620374D52

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: b991bf56b97f00b424a1ba7ed4f6701bd83b5968137fa14062c07bccba4cd40c
Instruction ID: 477937aecda5995f403d1e6de31006792638ade09cd0fafa524355393b52f063
Opcode Fuzzy Hash: b991bf56b97f00b424a1ba7ed4f6701bd83b5968137fa14062c07bccba4cd40c
Instruction Fuzzy Hash: 90815D32F18A42EAEF108F65D8802AC37B0F748768F545636DA5D9BBA4DF38E594C311

Function 00007FF620375FF0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF62037601D
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF620376037
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF620376069
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF620376094
std::_Facet_Register.LIBCPMT ref: 00007FF6203760AD
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF620375B7A), ref: 00007FF6203760CC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6203760F7

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 7e5fc6697babf7da2c82fe3681f4ae3e1530b5e3d67986b7d103e55dcf608f15
Instruction ID: c24cda61a07b129363bafd35c06c7f9c94739386b3b199d138a56b5f3db961e0
Opcode Fuzzy Hash: 7e5fc6697babf7da2c82fe3681f4ae3e1530b5e3d67986b7d103e55dcf608f15
Instruction Fuzzy Hash: 60316D32A08B46D1EE548F15E8901697760FB88B94F480635DB9E8BBB5DF3CE455C701

Function 00007FF620376100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF620376143
memcpy.VCRUNTIME140 ref: 00007FF620376204
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF620376228

Strings

GTAProcess, xrefs: 00007FF620376102

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID: GTAProcess
API String ID: 326894585-2175359186
Opcode ID: 236114548b2a61902ae2430156873bb5ba21e44a7c0d7f108fad327db99beb6c
Instruction ID: 5ac87a96df7f4cc14e645f0f56edef5ea272d69e0e83b365040cc3b5d4da3f28
Opcode Fuzzy Hash: 236114548b2a61902ae2430156873bb5ba21e44a7c0d7f108fad327db99beb6c
Instruction Fuzzy Hash: B631E222B0A743E5EE249B51AC902BD2650AB057F4F980B30DE7D9B7E6DE3CE1918301

Function 00007FF620371B50 Relevance: 7.7, APIs: 5, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF620375680: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF6203711CF), ref: 00007FF620375771

Part of subcall function 00007FF620375680: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF6203711CF), ref: 00007FF620375750
Part of subcall function 00007FF620375680: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62037578C

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF620371871), ref: 00007FF620371DD7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF620371871), ref: 00007FF620371DDE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF620371871), ref: 00007FF620371DE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF620371871), ref: 00007FF620371DEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00007FF620371871), ref: 00007FF620371DF3

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmemcpy
String ID:
API String ID: 2318677668-0
Opcode ID: 0f0df8395a7d051127279f21b89d5d0c5fcc752cf051496201ef76c8aa64d1a6
Instruction ID: 3c57d979918c6c23e961ee7c7b67c4a2b9470a79cfccea97abac134f21e74314
Opcode Fuzzy Hash: 0f0df8395a7d051127279f21b89d5d0c5fcc752cf051496201ef76c8aa64d1a6
Instruction Fuzzy Hash: F2717A62A18A87E4FE11DB19ECD83793361EB01B84F514039DA8D8BB6ADF7DE490C341

Function 00007FF620376230 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF620376311
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62037634E
memcpy.VCRUNTIME140 ref: 00007FF620376358
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62037638B

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 24eb0d0bfc739fd0560a49163c489c9a1d7702e14198e5e5682604173dba1149
Instruction ID: 2017cabc5f285a62225c8c569b942e4929f350dde022305dc77fc196e3fc5057
Opcode Fuzzy Hash: 24eb0d0bfc739fd0560a49163c489c9a1d7702e14198e5e5682604173dba1149
Instruction Fuzzy Hash: E6411222B09683E4EE109F26D9943AD6252AB04BD4F544635DA6D4BBEADF7CE051C302

Function 00007FF6203750E0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d939e6395f353c4ea1df2c66ca6111bff599e46454ea5fa47db64c4fff99d848
Instruction ID: 036973729bfdf357c6583af2e3fd54be48e6e337ac7123e73a796c2dceb9dba9
Opcode Fuzzy Hash: d939e6395f353c4ea1df2c66ca6111bff599e46454ea5fa47db64c4fff99d848
Instruction Fuzzy Hash: 00515E32609A82D6DF148F69E89036D73A0FB84BA4F544636DA9D8B7B8DF7CC444C741

Function 00007FF620375560 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF6203711CF), ref: 00007FF6203755C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF6203711CF), ref: 00007FF620375630

Part of subcall function 00007FF620376A40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62037575C,?,?,?,?,?,?,?,00007FF6203711CF), ref: 00007FF620376A5A

memcpy.VCRUNTIME140(?,?,?,00007FF6203711CF), ref: 00007FF620375653
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF620375678

Memory Dump Source

Source File: 00000001.00000002.1837029429.00007FF620371000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF620370000, based on PE: true

Associated: 00000001.00000002.1837006022.00007FF620370000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837068376.00007FF620378000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837112806.00007FF62037C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1837142925.00007FF62037D000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff620370000_P00LCUE.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 3b52f562bfd545fd0f8adf20f526fa586fa18b333cc07292c2b5d6ba1187337a
Instruction ID: a69d9c5a01feb39a703de5f3311c4a9d5f114be638af1a35fa63f4cdd002e052
Opcode Fuzzy Hash: 3b52f562bfd545fd0f8adf20f526fa586fa18b333cc07292c2b5d6ba1187337a
Instruction Fuzzy Hash: 9C31A423A09787E5EE185B55A8803A92250EB15BB4F580735DB7D4F7E2DFBCE092C342

Analysis Process: BLACKSUPER X.exePID: 7576, Parent PID: 7468COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B797A81 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32 ref: 00007FFD9B797B30

Strings

UAWA, xrefs: 00007FFD9B797A9A

Memory Dump Source

Source File: 00000003.00000002.2000161235.00007FFD9B790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b790000_BLACKSUPER X.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: UAWA
API String ID: 3662101638-1492024814
Opcode ID: dc4dfbd9108a5a9cfae0e0fe0f1b08087d7271ef2b64d03d957a4ef5af6c6b24
Instruction ID: a99ba92eeb59db362a29b6597984acb0833be0438c2e5cab80470460f3b8ddf1
Opcode Fuzzy Hash: dc4dfbd9108a5a9cfae0e0fe0f1b08087d7271ef2b64d03d957a4ef5af6c6b24
Instruction Fuzzy Hash: E731E33190875C8FCB58DF58C88A7E97BE0FF65311F05426AD489D7292DB34A846CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XSLHv0kxy7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BLACKSUPER X.exe_175f8be7b2927dcfe564353a4b63bca3ee77699a_64f3a80a_ae410ffc-cda7-44d4-9675-dd62bff63721\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5045.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER520B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER523B.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XSLHv0kxy7.exe.log

C:\Users\user\AppData\Local\Temp\BLACKSUPER X.exe

C:\Users\user\AppData\Local\Temp\P00LCUE.exe

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
XSLHv0kxy7.exe

Function 00007FF6203741C0 Relevance: 77.3, APIs: 33, Strings: 11, Instructions: 251
processCOMMON

Function 00007FF620373D50 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 251
processCOMMON

Function 00007FF620373A40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123
processsynchronizationwindowCOMMON

Function 00007FF6203725B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
processCOMMON

Function 00007FF620372EB0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 257
injectionCOMMON

Function 00007FF620372AF0 Relevance: 19.7, APIs: 13, Instructions: 173
COMMON

Function 00007FF620375DD0 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Function 00007FF620376DD4 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre