Edit tour

Windows Analysis Report
TcQOmn7lnP.exe

Overview

General Information

Sample name:	TcQOmn7lnP.exe renamed because original name is a hash value
Original sample name:	da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b.exe
Analysis ID:	1561597
MD5:	edd87a78e02a4c11c82bb8ccce9815d6
SHA1:	a5c6753e71e4d4ad83325c60ec88780471297272
SHA256:	da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

TcQOmn7lnP.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\TcQOmn7lnP.exe" MD5: EDD87A78E02A4C11C82BB8CCCE9815D6)

FileExplorer.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Roaming\FileExplorer.exe" MD5: EDD87A78E02A4C11C82BB8CCCE9815D6)

FileExplorer.exe (PID: 3544 cmdline: "C:\Users\user\AppData\Roaming\FileExplorer.exe" MD5: EDD87A78E02A4C11C82BB8CCCE9815D6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["192.168.68.139", "tell-outcome.gl.at.ply.gg"], "Port": 2068, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
TcQOmn7lnP.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
TcQOmn7lnP.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x70b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7156:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x726b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6f2b:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\FileExplorer.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\FileExplorer.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x70b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7156:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x726b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6f2b:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6eb9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f56:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x706b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6d2b:$cnc4: POST / HTTP/1.1
Process Memory Space: TcQOmn7lnP.exe PID: 1020	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.TcQOmn7lnP.exe.c10000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.TcQOmn7lnP.exe.c10000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x70b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7156:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x726b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6f2b:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\FileExplorer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\TcQOmn7lnP.exe, ProcessId: 1020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileExplorer

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T21:15:45.029291+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.6	49996	147.185.221.24	2068	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TcQOmn7lnP.exe

Avira: detected

Antivirus detection for URL or domain

Source: tell-outcome.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\FileExplorer.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: TcQOmn7lnP.exe

Malware Configuration Extractor: Xworm {"C2 url": ["192.168.68.139", "tell-outcome.gl.at.ply.gg"], "Port": 2068, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FileExplorer.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: TcQOmn7lnP.exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FileExplorer.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TcQOmn7lnP.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: TcQOmn7lnP.exe	String decryptor: 192.168.68.139,tell-outcome.gl.at.ply.gg
Source: TcQOmn7lnP.exe	String decryptor: 2068
Source: TcQOmn7lnP.exe	String decryptor: <123456789>
Source: TcQOmn7lnP.exe	String decryptor: <Xwormmm>
Source: TcQOmn7lnP.exe	String decryptor: XWorm V5.6
Source: TcQOmn7lnP.exe	String decryptor: USB.exe
Source: TcQOmn7lnP.exe	String decryptor: %AppData%
Source: TcQOmn7lnP.exe	String decryptor: FileExplorer.exe

Source: TcQOmn7lnP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TcQOmn7lnP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49710 -> 147.185.221.24:2068
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49996 -> 147.185.221.24:2068

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 192.168.68.139
Source: Malware configuration extractor	URLs: tell-outcome.gl.at.ply.gg

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 147.185.221.24:2068

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: tell-outcome.gl.at.ply.gg

Source: TcQOmn7lnP.exe, 00000000.00000002.4547347546.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: TcQOmn7lnP.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.TcQOmn7lnP.exe.c10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34567522	0_2_00007FFD34567522
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34566366	0_2_00007FFD34566366
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34564884	0_2_00007FFD34564884
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD3456405D	0_2_00007FFD3456405D
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34564B3D	0_2_00007FFD34564B3D
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34565B65	0_2_00007FFD34565B65
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34563038	0_2_00007FFD34563038
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD34561DFA	0_2_00007FFD34561DFA

Source: TcQOmn7lnP.exe, 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs TcQOmn7lnP.exe
Source: TcQOmn7lnP.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs TcQOmn7lnP.exe

Source: TcQOmn7lnP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TcQOmn7lnP.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.TcQOmn7lnP.exe.c10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: TcQOmn7lnP.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: TcQOmn7lnP.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: TcQOmn7lnP.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FileExplorer.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FileExplorer.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FileExplorer.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: TcQOmn7lnP.exe, Settings.cs	Base64 encoded string: 'k0zJvL6lXZ0dNE5hDmbWWxfshhFq30H7R3FWafSof8V6AHqXGgzn0myieGPS+tsT'
Source: FileExplorer.exe.0.dr, Settings.cs	Base64 encoded string: 'k0zJvL6lXZ0dNE5hDmbWWxfshhFq30H7R3FWafSof8V6AHqXGgzn0myieGPS+tsT'

Source: TcQOmn7lnP.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: TcQOmn7lnP.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: FileExplorer.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: FileExplorer.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@1/2

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

File created: C:\Users\user\AppData\Roaming\FileExplorer.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Mutant created: \Sessions\1\BaseNamedObjects\SXJOPv2u5QpF0aEa

Source: unknown	Process created: C:\Users\user\AppData\Roaming\FileExplorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FileExplorer.exe

Source: TcQOmn7lnP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TcQOmn7lnP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TcQOmn7lnP.exe

ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

File read: C:\Users\user\Desktop\TcQOmn7lnP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TcQOmn7lnP.exe "C:\Users\user\Desktop\TcQOmn7lnP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FileExplorer.exe "C:\Users\user\AppData\Roaming\FileExplorer.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FileExplorer.exe "C:\Users\user\AppData\Roaming\FileExplorer.exe"

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: TcQOmn7lnP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TcQOmn7lnP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: TcQOmn7lnP.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: TcQOmn7lnP.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: FileExplorer.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: FileExplorer.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Code function: 0_2_00007FFD345600BD pushad ; iretd	0_2_00007FFD345600C1
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Code function: 2_2_00007FFD345700BD pushad ; iretd	2_2_00007FFD345700C1
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Code function: 6_2_00007FFD345400BD pushad ; iretd	6_2_00007FFD345400C1

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

File created: C:\Users\user\AppData\Roaming\FileExplorer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileExplorer			Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FileExplorer			Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Memory allocated: 1A850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Memory allocated: 1AB70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Window / User API: threadDelayed 1875			Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Window / User API: threadDelayed 7951			Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe TID: 2788	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe TID: 2936	Thread sleep count: 1875 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe TID: 2936	Thread sleep count: 7951 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe TID: 5644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe TID: 3476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: TcQOmn7lnP.exe, 00000000.00000002.4545385172.00000000011A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	Queries volume information: C:\Users\user\Desktop\TcQOmn7lnP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\FileExplorer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FileExplorer.exe	Queries volume information: C:\Users\user\AppData\Roaming\FileExplorer.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: TcQOmn7lnP.exe, 00000000.00000002.4549183713.000000001BD10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: TcQOmn7lnP.exe, 00000000.00000002.4549183713.000000001BD10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\TcQOmn7lnP.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: TcQOmn7lnP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TcQOmn7lnP.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TcQOmn7lnP.exe PID: 1020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\FileExplorer.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: TcQOmn7lnP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TcQOmn7lnP.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TcQOmn7lnP.exe PID: 1020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\FileExplorer.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	131 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
TcQOmn7lnP.exe	87%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
TcQOmn7lnP.exe	100%	Avira	HEUR/AGEN.1305769
TcQOmn7lnP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\FileExplorer.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\FileExplorer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\FileExplorer.exe	87%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
192.168.68.139	0%	Avira URL Cloud	safe
tell-outcome.gl.at.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tell-outcome.gl.at.ply.gg	147.185.221.24	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
192.168.68.139	true	Avira URL Cloud: safe	unknown
tell-outcome.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TcQOmn7lnP.exe, 00000000.00000002.4547347546.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	tell-outcome.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Private

IP
192.168.68.139

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561597
Start date and time:	2024-11-23 21:12:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TcQOmn7lnP.exe renamed because original name is a hash value
Original Sample Name:	da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 60 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FileExplorer.exe, PID 3544 because it is empty
Execution Graph export aborted for target FileExplorer.exe, PID 7132 because it is empty
Execution Graph export aborted for target TcQOmn7lnP.exe, PID 1020 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: TcQOmn7lnP.exe

Simulations

Behavior and APIs

Time	Type	Description
15:13:05	API Interceptor	13080385x Sleep call for process: TcQOmn7lnP.exe modified
21:13:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FileExplorer C:\Users\user\AppData\Roaming\FileExplorer.exe
21:13:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run FileExplorer C:\Users\user\AppData\Roaming\FileExplorer.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.185.221.24	1LFcs1ZJy2.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	owuP726k3d.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.19
	1LFcs1ZJy2.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	enigma_loader.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	exe006.exe	Get hash	malicious	SheetRat	Browse	147.185.221.23
	exe003.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	OXhiMvksgM.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	147.185.221.23

Process:	C:\Users\user\AppData\Roaming\FileExplorer.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\FileExplorer.exe

Download File

Process:	C:\Users\user\Desktop\TcQOmn7lnP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	5.593454396400531
Encrypted:	false
SSDEEP:	768:S1M4swsuaI9VSLVHJOVW5NmLU6eKch1W9FW9Y5qRLOjh2bW:SykZaI9VSOVW5YMKchOFW9Y58LOj0C
MD5:	EDD87A78E02A4C11C82BB8CCCE9815D6
SHA1:	A5C6753E71E4D4AD83325C60EC88780471297272
SHA-256:	DA98F8DE94A1F21ADEBDE64BD45A11921FEDEAEC036035C46B80621B619F017B
SHA-512:	3BBDAFA95291AC1DF2FB4545F9F3818C1A5B817A4D6F3DDE182A3996E71D2FD118DF1447DDAF855C4432B8BDDA454AE0AA26A31C4333785F87B744F34492A4CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\FileExplorer.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\FileExplorer.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@g.................\|.............. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....{... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H........Q..\|J............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.593454396400531
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TcQOmn7lnP.exe
File size:	34'304 bytes
MD5:	edd87a78e02a4c11c82bb8ccce9815d6
SHA1:	a5c6753e71e4d4ad83325c60ec88780471297272
SHA256:	da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b
SHA512:	3bbdafa95291ac1df2fb4545f9f3818c1a5b817a4d6f3dde182a3996e71d2fd118df1447ddaf855c4432b8bdda454ae0aa26a31c4333785f87b744f34492a4cd
SSDEEP:	768:S1M4swsuaI9VSLVHJOVW5NmLU6eKch1W9FW9Y5qRLOjh2bW:SykZaI9VSOVW5YMKchOFW9Y58LOj0C
TLSH:	8CF25C44BB908712C5FE6FF41AB272024275F6078913EB6E0CD4899A6F77ED18A407F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@g.................\|............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x409bde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740BDEA [Fri Nov 22 17:22:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b88	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7be4	0x7c00	d446690bdc2a514c59e1ebff1f143135	False	0.5022366431451613	data	5.739787606944486	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4d8	0x600	afbb984503128042cc38bf70e5e337f4	False	0.375	data	3.7203482473352403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	ca5bd00d345b21656d2f58dc74009395	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x244	data			0.4724137931034483
RT_MANIFEST	0xa2e8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T21:13:18.756098+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49710	147.185.221.24	2068	TCP
2024-11-23T21:15:45.029291+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.6	49996	147.185.221.24	2068	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:13:05.666874886 CET	49710	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:13:05.827321053 CET	2068	49710	147.185.221.24	192.168.2.6
Nov 23, 2024 21:13:05.827451944 CET	49710	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:13:06.045134068 CET	49710	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:13:06.169532061 CET	2068	49710	147.185.221.24	192.168.2.6
Nov 23, 2024 21:13:18.756098032 CET	49710	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:13:18.879650116 CET	2068	49710	147.185.221.24	192.168.2.6
Nov 23, 2024 21:13:27.840131998 CET	2068	49710	147.185.221.24	192.168.2.6
Nov 23, 2024 21:13:27.843502998 CET	49710	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:13:28.031359911 CET	49710	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:13:28.033179045 CET	49763	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:28.150964022 CET	2068	49710	147.185.221.24	192.168.2.6
Nov 23, 2024 21:13:28.152712107 CET	2068	49763	192.168.68.139	192.168.2.6
Nov 23, 2024 21:13:28.153806925 CET	49763	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:28.431694984 CET	49763	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:28.551629066 CET	2068	49763	192.168.68.139	192.168.2.6
Nov 23, 2024 21:13:40.607737064 CET	49763	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:40.731333017 CET	2068	49763	192.168.68.139	192.168.2.6
Nov 23, 2024 21:13:50.135797024 CET	2068	49763	192.168.68.139	192.168.2.6
Nov 23, 2024 21:13:50.135911942 CET	49763	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:52.044454098 CET	49763	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:52.045370102 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:52.231347084 CET	2068	49763	192.168.68.139	192.168.2.6
Nov 23, 2024 21:13:52.231429100 CET	2068	49816	192.168.68.139	192.168.2.6
Nov 23, 2024 21:13:52.231537104 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:52.276190996 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:13:52.395716906 CET	2068	49816	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:04.841799974 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:04.968070030 CET	2068	49816	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:08.607259989 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:08.733679056 CET	2068	49816	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:14.183305025 CET	2068	49816	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:14.183446884 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:18.654021025 CET	49816	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:18.656196117 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:18.773570061 CET	2068	49816	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:18.776123047 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:18.778743029 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:18.942573071 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:19.064846039 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:22.732414961 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:22.898879051 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:24.169770002 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:24.431186914 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:24.431262016 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:24.550992012 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:24.551059961 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:24.670737982 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:32.622951031 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:32.742472887 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:34.966622114 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:35.092179060 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:40.700962067 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:40.752351046 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:40.752420902 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:40.752492905 CET	49876	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:40.754056931 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:40.821053028 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:40.873766899 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:40.873817921 CET	2068	49876	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:40.875154972 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:40.875262976 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:40.998202085 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:41.120863914 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:43.951229095 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:44.076687098 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:46.513762951 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:46.640176058 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:46.685388088 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:46.919177055 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:46.919300079 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:47.038947105 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:53.060676098 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:53.181611061 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:14:57.563690901 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:14:57.686851025 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:02.815247059 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:02.815332890 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:07.700766087 CET	49927	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:07.702439070 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:07.869240999 CET	2068	49927	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:07.869308949 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:07.869484901 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:07.966206074 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:08.087691069 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:13.248456001 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:13.532296896 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:13.532413960 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:13.652017117 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:19.701154947 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:19.821587086 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:23.779320955 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:23.927490950 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:23.927712917 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:24.164068937 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:29.793662071 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:29.793742895 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:33.924235106 CET	49985	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:15:33.927755117 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:34.044334888 CET	2068	49985	192.168.68.139	192.168.2.6
Nov 23, 2024 21:15:34.049115896 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:34.049226999 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:34.471999884 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:34.785491943 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:39.107711077 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:39.233916044 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:39.669917107 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:39.791383028 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:39.791461945 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:39.915931940 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:39.916078091 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:40.073589087 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:40.076127052 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:40.365027905 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:40.366662979 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:40.488337040 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:45.029290915 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:45.153774023 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:45.153897047 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:45.278067112 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:53.248311043 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:53.372072935 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:55.466974974 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:55.794585943 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:55.938250065 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:55.938426971 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:55.988540888 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:55.988640070 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:56.209916115 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:56.263883114 CET	49996	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:15:56.416789055 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:56.419899940 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:15:56.662470102 CET	2068	49996	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:00.547873020 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:00.671550035 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:00.672000885 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:00.929377079 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:01.055819988 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:01.055923939 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:01.175549984 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:01.310812950 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:01.436352015 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:06.701080084 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:06.820578098 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:11.201241970 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:11.327686071 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:16.216753960 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:16.337908030 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:20.563868046 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:20.687330961 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:21.499022961 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:21.621630907 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:21.621679068 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:21.932779074 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:21.969640017 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:21.969687939 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:22.052512884 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:22.089502096 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:22.232381105 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:22.365283012 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:22.639527082 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:22.639688969 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:26.704476118 CET	49999	2068	192.168.2.6	147.185.221.24
Nov 23, 2024 21:16:26.731875896 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:26.824088097 CET	2068	49999	147.185.221.24	192.168.2.6
Nov 23, 2024 21:16:26.851680994 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:26.852876902 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:27.034071922 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:27.158097982 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:27.201176882 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:27.435467958 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:27.435549974 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:27.556153059 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:28.159885883 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:28.281996965 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:29.201659918 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:29.325283051 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:32.623904943 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:32.744467020 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:33.576277971 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:33.703730106 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:34.436002016 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:34.557898998 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:35.591984034 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:35.718106031 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:37.732609034 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:37.874330044 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:37.874403954 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:37.994005919 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:37.994070053 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:38.113806009 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:38.113909006 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:38.233541012 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:43.107723951 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:43.232311964 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:43.232402086 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:43.352734089 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:43.352792978 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:43.472985983 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:44.624027014 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:44.780992985 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:48.826642990 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:48.831931114 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.404119015 CET	50000	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.405752897 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.526122093 CET	2068	50000	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:53.527796984 CET	2068	50002	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:53.527870893 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.600316048 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.725570917 CET	2068	50002	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:53.725636005 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.852061987 CET	2068	50002	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:53.852168083 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:53.974632978 CET	2068	50002	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:55.029433012 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:55.198487997 CET	2068	50002	192.168.68.139	192.168.2.6
Nov 23, 2024 21:16:55.623339891 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:16:55.742865086 CET	2068	50002	192.168.68.139	192.168.2.6
Nov 23, 2024 21:17:01.263809919 CET	50002	2068	192.168.2.6	192.168.68.139
Nov 23, 2024 21:17:01.383781910 CET	2068	50002	192.168.68.139	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 21:13:05.409369946 CET	50081	53	192.168.2.6	1.1.1.1
Nov 23, 2024 21:13:05.645754099 CET	53	50081	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 21:13:05.409369946 CET	192.168.2.6	1.1.1.1	0x424b	Standard query (0)	tell-outcome.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 21:13:05.645754099 CET	1.1.1.1	192.168.2.6	0x424b	No error (0)	tell-outcome.gl.at.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:12:56
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\TcQOmn7lnP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TcQOmn7lnP.exe"
Imagebase:	0xc10000
File size:	34'304 bytes
MD5 hash:	EDD87A78E02A4C11C82BB8CCCE9815D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2104542914.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:13:09
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\FileExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\FileExplorer.exe"
Imagebase:	0x6b0000
File size:	34'304 bytes
MD5 hash:	EDD87A78E02A4C11C82BB8CCCE9815D6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\FileExplorer.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\FileExplorer.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:13:18
Start date:	23/11/2024
Path:	C:\Users\user\AppData\Roaming\FileExplorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\FileExplorer.exe"
Imagebase:	0x950000
File size:	34'304 bytes
MD5 hash:	EDD87A78E02A4C11C82BB8CCCE9815D6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFD34566366 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eef18a92c89f2c96ceccd4506a7f8d0de23d038cb48b76476da057caacd628c
Instruction ID: afa1562fa22ae1fa9c64fdc08951f43c2e9399ef4f9313b72dc5c68765cc7aa8
Opcode Fuzzy Hash: 7eef18a92c89f2c96ceccd4506a7f8d0de23d038cb48b76476da057caacd628c
Instruction Fuzzy Hash: E0F1C630A09A4D8FEBA9DF28D8957E977E1FF55310F04426EE84DC7291CF78A9418B81

Function 00007FFD34567522 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4194c58475978be2588bd6214869fd43f3681ad44fe84888f9e815d0e52db7b
Instruction ID: 1f56d883ad4f92665a3e60bebb8cec3cccd7ba1c1dfd13281f2dbd747f28a0d2
Opcode Fuzzy Hash: b4194c58475978be2588bd6214869fd43f3681ad44fe84888f9e815d0e52db7b
Instruction Fuzzy Hash: 01E1A530A08A4E8FEBA9DF28C8657E977D1FF55320F14426AD84DC7291DF78A944C781

Function 00007FFD34560E79 Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

SAM_^, xrefs: 00007FFD345610CC

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID: SAM_^
API String ID: 0-3658645246
Opcode ID: 84a8261f020e15794933c58069e8d359aeb6c97c0af713af43ff41bbe1fada4d
Instruction ID: d5cb45665d6cb47b2c318ab5b7a6dbf79824aee9bff7caeaa5b998da631c893a
Opcode Fuzzy Hash: 84a8261f020e15794933c58069e8d359aeb6c97c0af713af43ff41bbe1fada4d
Instruction Fuzzy Hash: 30A18531B19A0D4FEB99F778C4A96B937A2FF89311B800479E40EC72C2DE6DAC518750

Function 00007FFD345605A0 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

}E4, xrefs: 00007FFD34560D89

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID: }E4
API String ID: 0-3687626112
Opcode ID: dc47c3e743d774df65fa6692fcbef73969f496dbca280e660fb902832c3cf642
Instruction ID: 02deb49d8d6944f3ac7bf9b5c4c33a52be6702de0a8d75c2086b577e5e2f9210
Opcode Fuzzy Hash: dc47c3e743d774df65fa6692fcbef73969f496dbca280e660fb902832c3cf642
Instruction Fuzzy Hash: 2961F823F1D90E0FEBA5E76C94661B9B7E2EF86721F440276D04DD3296DE6C6C428340

Function 00007FFD34568292 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34568343

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 4c2443d9493bae327efa0fcc1bbcaccdc93060f60bbd2908009f214ad4367668
Instruction ID: 06c63bd897a27224447f3bf885233763e3d7162490a0f0d6cea5e0ff9bfda89a
Opcode Fuzzy Hash: 4c2443d9493bae327efa0fcc1bbcaccdc93060f60bbd2908009f214ad4367668
Instruction Fuzzy Hash: DC41E031E08A5D8FDB41ABA8C8595E97BF0FF5A320F04017BD949C3191DB3C9955CB91

Function 00007FFD34561AED Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

SAM_^, xrefs: 00007FFD34561B36

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID: SAM_^
API String ID: 0-3658645246
Opcode ID: 21a3dc51bbe8284a89f5ff5a4d3420c6e43629c6f01578ee34231b38e5272b71
Instruction ID: 62cbc6ca429604465c16d7b138288a9f53dcf4d06453ca2fe716b373ec39bf02
Opcode Fuzzy Hash: 21a3dc51bbe8284a89f5ff5a4d3420c6e43629c6f01578ee34231b38e5272b71
Instruction Fuzzy Hash: 0D11B721F0D6D20BE317A37848B11B92BA69F83320F4D11B9D188C71D3DD2DA8059391

Function 00007FFD34561B58 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

SAM_^, xrefs: 00007FFD34561B36

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID: SAM_^
API String ID: 0-3658645246
Opcode ID: 202fef180c3294770b78d390bd9d5c73c2fc9d8b13f7fb4954d7b6028998198c
Instruction ID: ea67f3ff870ca6d2ab2421d06805343d59bcf967d370ce2fc140c12f6ebac1f3
Opcode Fuzzy Hash: 202fef180c3294770b78d390bd9d5c73c2fc9d8b13f7fb4954d7b6028998198c
Instruction Fuzzy Hash: EFF0DC31F0C4168BE266D768C4A267833A6EF97330F482634C109C31E1EF2CB812A780

Function 00007FFD34561BE0 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71c9b697815aa56f2e8158cc204278ee4d01585cdc5e59863a0c97fe040dbcb
Instruction ID: e5f1b7ea573609b1369284cf845e8879fe73cab1ec0cbd0be332db56b83c58e8
Opcode Fuzzy Hash: b71c9b697815aa56f2e8158cc204278ee4d01585cdc5e59863a0c97fe040dbcb
Instruction Fuzzy Hash: CFA10B62F1CE0A0BE7A9A72C94653B967D2FF99361F940179E04ED33D6DD2CAC024341

Function 00007FFD34567136 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db08e2f1fabcb72e6daae8ebdc9e33a24411788ea470aedfd2774a644c261f6a
Instruction ID: 41991882da76384019ab5080581b4f4d0fc62734d0a53693b08b13a3c04a8e43
Opcode Fuzzy Hash: db08e2f1fabcb72e6daae8ebdc9e33a24411788ea470aedfd2774a644c261f6a
Instruction Fuzzy Hash: 98B1A430A0CA4D4FEB69DF28D8557E93BE1FF55310F14426AE84DC7292CF78A9458B82

Function 00007FFD345627E9 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec82c10d3a1e09ff873f826142659894b7243cb0eee96ab220a34679e0716229
Instruction ID: b870e7eda3863e576565bcbce16f7de6589f18d4d518d8b32f6e21eb2de54fee
Opcode Fuzzy Hash: ec82c10d3a1e09ff873f826142659894b7243cb0eee96ab220a34679e0716229
Instruction Fuzzy Hash: FCA10961F1CE4A0FE7A9A72C94752B967D2FF99350F94017AE08ED72D6DD2C9C028341

Function 00007FFD34562BE5 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36970cab26f02748a782d90d908b8e3c6459d98b6678730c3e969f7735cd9b0a
Instruction ID: d3760b0c39b0a45fbf01504ff114548d34ee2e70cfdf442d89c2b8c8877bde37
Opcode Fuzzy Hash: 36970cab26f02748a782d90d908b8e3c6459d98b6678730c3e969f7735cd9b0a
Instruction Fuzzy Hash: E4A1B020B1CD495BEB99B7AC84727BAB3D6EF9A301F540576E048C32E2CD2CEC418352

Function 00007FFD34568DAD Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb8478d708358e874309bad0693739d5f7e7620bc9fa0fa68d894f5a0d77bf9
Instruction ID: 09a9833120920b3b9c79931a6a67aa83458f70f2b01fc664e4f999944c22b509
Opcode Fuzzy Hash: deb8478d708358e874309bad0693739d5f7e7620bc9fa0fa68d894f5a0d77bf9
Instruction Fuzzy Hash: A181EA31F1D9494FEB59EB6894A56F9B7E1EF59321F04017AE00ED32D2CE2CA842C741

Function 00007FFD34567F00 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4845f6d7106cf7415f95caf6bcab4443013ddd804f7ac5104fbe14bd75d68051
Instruction ID: b3ca12b1f4a91f34a11c3624b85d0b6cd638fe3ac9852d971e8efd82ddb192ed
Opcode Fuzzy Hash: 4845f6d7106cf7415f95caf6bcab4443013ddd804f7ac5104fbe14bd75d68051
Instruction Fuzzy Hash: D9213632F0CE9D4FDB91EB6C98655AD7BE1FB96320B0001BBE50CC3182DE2898518781

Function 00007FFD34561C20 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143e290663d65d5ecbb36ec321f755d75de35753c1b28ef5c021c07d2888729f
Instruction ID: 82b3c63d968007366fd37337b8ddb466acebeed1a646c5c8e48fc1eae3ef1a85
Opcode Fuzzy Hash: 143e290663d65d5ecbb36ec321f755d75de35753c1b28ef5c021c07d2888729f
Instruction Fuzzy Hash: 90712A31F0EA5A0FE75A9B7488B61B57BA0EF42331F0412B9D54DC71D3DD2C68568392

Function 00007FFD34562538 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0a4bc72cb1b72c5cda9d25393810dbbe8e28a2bec1d0623f26a558840a8e18
Instruction ID: 31d3ea4889002fed3f5dcd6012890f48aec75f34ca661a735a929e6ca384c18a
Opcode Fuzzy Hash: 3f0a4bc72cb1b72c5cda9d25393810dbbe8e28a2bec1d0623f26a558840a8e18
Instruction Fuzzy Hash: 8B715931E0C6894FDB16E77888656A57FA1FF57330F1802AAE049C71D2DE2DA846C751

Function 00007FFD345683BD Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6d6782f449dbf625bc0669c145a92678a5cfdd018bfea7bd73e14cf9479121
Instruction ID: e79852420885b73bf9e37098ebbfdd800d852f33799d0abf1ffe52e91a6af51a
Opcode Fuzzy Hash: ec6d6782f449dbf625bc0669c145a92678a5cfdd018bfea7bd73e14cf9479121
Instruction Fuzzy Hash: E0517231E08A0C8FDB58EB68D8957EDBBF1FF59311F10426AD44DD3252CA78A846CB81

Function 00007FFD34568AC5 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f86dfcb07cd080e00384c7b881ca7bd079590177ffde4c76a67ff86b6bb1487
Instruction ID: 702cd92e8034ce44d1c3ea362210ab01c8f0cbd2a9f1f0564960e6e9d908bc6a
Opcode Fuzzy Hash: 1f86dfcb07cd080e00384c7b881ca7bd079590177ffde4c76a67ff86b6bb1487
Instruction Fuzzy Hash: 0C61F371F1A94D9FEBA5EB68D4A56BC77E1FF49321F0010B9E40DD3292DE2C68059740

Function 00007FFD34568E00 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a183d75fa7a4576daa40e34bd78ab52f42985738b89f50166b600086cf1c93f
Instruction ID: cf0db32ff5e148249b7e0b03ef43e6a6429e853f4a8f0c5033fd3d13bb8e4399
Opcode Fuzzy Hash: 4a183d75fa7a4576daa40e34bd78ab52f42985738b89f50166b600086cf1c93f
Instruction Fuzzy Hash: B751A731F1890C4FEB98EB68C4A96B9B7E1FF99321F440179E00ED3296CE6CAC418740

Function 00007FFD34560550 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bad9f1ca174d64ca23c7221ad63250aae66ceacfc83ef4eb2ecb7b6ca4d380
Instruction ID: b4a1ecee1404f235843b830931ca3eb083f1fa23cd1fd1780542a371805dfbc7
Opcode Fuzzy Hash: e4bad9f1ca174d64ca23c7221ad63250aae66ceacfc83ef4eb2ecb7b6ca4d380
Instruction Fuzzy Hash: 32512631E0CA498FE729EBA8C8656B97BE0EF56321F44417ED149D3192DB3DA442CB41

Function 00007FFD34563C5C Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5793907da76d6b08350527aeb8b8faf8cc6f395e0cda2d25f6623c479acb19d4
Instruction ID: f5588215bffd0223eacacc8f79051ebfb607210b5e85328674a36c0148240b31
Opcode Fuzzy Hash: 5793907da76d6b08350527aeb8b8faf8cc6f395e0cda2d25f6623c479acb19d4
Instruction Fuzzy Hash: 17516431D08A5C8FDB69DB58D855BE9BBF1FB59310F0082AAD04DE3252DE34A9858B81

Function 00007FFD34566ADA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7d7d5baeab10fa11acdca63b1e38b37e88b587d305f576e812e97b4f3c9be4
Instruction ID: 3612d5eceee31628d1d2553eed8a19d987d7917cb314670cc96831060068b1d3
Opcode Fuzzy Hash: 9c7d7d5baeab10fa11acdca63b1e38b37e88b587d305f576e812e97b4f3c9be4
Instruction Fuzzy Hash: 55517130A08A0C8FDB68EF58D8957EDB7F1FF58311F20826AD44DE3256CA74A8458F81

Function 00007FFD34561BD8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff0b3a6828d65b9c97a362299aff0a694833bbe33eb857a62ee5e071804a2e1
Instruction ID: 5919f609bc9dc0bd5f7812a76821bfbbb4343da0f7c5717bcbd019236bafc9cf
Opcode Fuzzy Hash: 9ff0b3a6828d65b9c97a362299aff0a694833bbe33eb857a62ee5e071804a2e1
Instruction Fuzzy Hash: 6151B231F0890D4FDB59FB68C4A46BA77A2FF99320F140279E41EC3291DE2DA851C741

Function 00007FFD34561C08 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a9619384f6da404cb9fbc81c127c8bef580d3d8bd9e3b232cec56b0b516eb4
Instruction ID: d191a9795fe851c879e072034f354924acdb388f4d35ddac651ba71ab66ba86d
Opcode Fuzzy Hash: a2a9619384f6da404cb9fbc81c127c8bef580d3d8bd9e3b232cec56b0b516eb4
Instruction Fuzzy Hash: B3518D30F2991D9FEB98EB28D4A56B873E2FF89311F401079E40DD3292DE3CA8419B40

Function 00007FFD34568B1F Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa5add5600d7ebf772b123bb79dd510fe50804a83a5d0d2e88be44c39395528
Instruction ID: 6df17c84a8345e67b45b41992aceba9fa0b349071797e2acc320741b9785028e
Opcode Fuzzy Hash: 1fa5add5600d7ebf772b123bb79dd510fe50804a83a5d0d2e88be44c39395528
Instruction Fuzzy Hash: 5351E670F1D9499FEB95EB28D8A16A877E1FF5A311F0400BAD40DD3292DE2C6841C741

Function 00007FFD34568596 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6e14d2a43fae062e7386f06c9bd70312b51a48e0031eeb5888c517cc480d3b
Instruction ID: 95de0b5e358c4f4ad30c55ed5b2ddc4e2cfaadd213bef24c0af538f0f039209e
Opcode Fuzzy Hash: 9d6e14d2a43fae062e7386f06c9bd70312b51a48e0031eeb5888c517cc480d3b
Instruction Fuzzy Hash: 15512C71A4DA4D9FDB96EB68C8955E937E0FF17321F0001BAD449C3192DF39A852CB41

Function 00007FFD34562290 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b638d0ec98cce281e3f338f6e481f8da7cdd3c8bb0dbdb929a45d3149c9b9a
Instruction ID: 9331dc315963037079227321c861ae24f2b61dfe0b08d6a2be7d6b9fb5d1c80e
Opcode Fuzzy Hash: 45b638d0ec98cce281e3f338f6e481f8da7cdd3c8bb0dbdb929a45d3149c9b9a
Instruction Fuzzy Hash: F751C474A08A5D8FEB59EF68D4A57A97BE0FF16311F00017EE44AC3692CB79D841CB41

Function 00007FFD34561C48 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81b52aa758e1c62114cb1b6a67a7156941749802faba73843296096cf0fd594
Instruction ID: 2a317e8db287567daa3acccbdad3c267202504a462e40d0e1fb1483772e6447d
Opcode Fuzzy Hash: b81b52aa758e1c62114cb1b6a67a7156941749802faba73843296096cf0fd594
Instruction Fuzzy Hash: 4441A174A08A1C8FDB58EF58D4A5BA977E0FF25312F50017EE44AD3691CB79E841CB41

Function 00007FFD34560BFE Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b645709b55f9fbd002d62060b3901583d010366e891cb98ce0d86711557a2b1
Instruction ID: c6beba0f27131828e4abc129f0ff00de99335c65e899fb92e485097f79831399
Opcode Fuzzy Hash: 2b645709b55f9fbd002d62060b3901583d010366e891cb98ce0d86711557a2b1
Instruction Fuzzy Hash: 2E411A22F1DA9A0FF7A6E77C44661797BD2DF97621B0800BAD44DC3193DD5CAC028341

Function 00007FFD34568721 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da08a5bad62a82276bedf4f1741061b4475d903e652c0079331e0ae0905ed25
Instruction ID: 56a52f963c8ca53e1e403f36ae0f2dc38b41edf44a081c7d47db3994e4f240cc
Opcode Fuzzy Hash: 2da08a5bad62a82276bedf4f1741061b4475d903e652c0079331e0ae0905ed25
Instruction Fuzzy Hash: 3F41A131F49A4D4FDB85EB6884A96FD77E1FF59321B0411BAD40DD3292DE2C9841C741

Function 00007FFD345692DD Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb44a36a85edd8aa9e499f16029f72011656dc9fe77bba8bfb297a462ac33856
Instruction ID: 2da8f62d95293b25d962612d5b2d2478477d46d24cb0cb5867133a48fefaa2e5
Opcode Fuzzy Hash: fb44a36a85edd8aa9e499f16029f72011656dc9fe77bba8bfb297a462ac33856
Instruction Fuzzy Hash: 56411B21B5D7894FD756ABB898723E97BA5EF47310F4502B7E408C71E3DA2CA814C742

Function 00007FFD34560A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ceeca3921e1770715978a199c70556f1083896d49303ff589253d89064f8d04
Instruction ID: 259735da4056c0061bcbfe5c1df7368fddfabcedae77e343910f0684b8a064d6
Opcode Fuzzy Hash: 6ceeca3921e1770715978a199c70556f1083896d49303ff589253d89064f8d04
Instruction Fuzzy Hash: 4331A212F1C9490BEB95A7AC58A93BD77D2EB99711F04427AE00DC3293DE1C98014391

Function 00007FFD34561C10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265613895b5e5b8444e96c91503d791a981f64f801f98e45c1ac65bc23a13761
Instruction ID: a05bd4d0e620021615716f694137fb14850d8edb19a40ca291e3aba330819ba2
Opcode Fuzzy Hash: 265613895b5e5b8444e96c91503d791a981f64f801f98e45c1ac65bc23a13761
Instruction Fuzzy Hash: 8F318F31F09D0D8FEF95EB2884A96BD77E2EF99321B00157AD50DE3291EE2DA8418740

Function 00007FFD34560949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3399c6fff48b0de97d8b0a1e90f6d8c85a0456c15c08ec788700a364b964b9ce
Instruction ID: 5222e8b62d41f99f73a2a5d18625392c36e03f4c7de019410338c7191f457b32
Opcode Fuzzy Hash: 3399c6fff48b0de97d8b0a1e90f6d8c85a0456c15c08ec788700a364b964b9ce
Instruction Fuzzy Hash: DD31A231B18A4E4FEB54EBA8C4656E977A2FF99310F900479D009D73C2CE3CA841C740

Function 00007FFD34560AB0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544b256a862ccc7a178569032b5a76df3ea8a569d36302614afda297f0d489af
Instruction ID: 51b0cc8a5004f7ae77eceb0850a9602b3fb26c18816a4619d1202cb08310ab28
Opcode Fuzzy Hash: 544b256a862ccc7a178569032b5a76df3ea8a569d36302614afda297f0d489af
Instruction Fuzzy Hash: 2831A412F18D094BFB98B7AC58AA3BD77D6EB99751F00027AE40DD3292DD6CAC414391

Function 00007FFD34561365 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c3680dc753342d4278ba45e5862d8c0f13d6b46fff558fce8ff0437ab3859f
Instruction ID: 4198e4d520e4e3493acd35a2a64446446e23edc440ff3e7accd7224b0a9c9db9
Opcode Fuzzy Hash: f1c3680dc753342d4278ba45e5862d8c0f13d6b46fff558fce8ff0437ab3859f
Instruction Fuzzy Hash: D5315221B1C9494FE798EB6C946A378B2C2EF9D315F4405BEE04ED32A7DE68DC418741

Function 00007FFD34569595 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc98935fce130e6fa9ac2b5e635b7c0877deb002b922a355bb6732db507eff1
Instruction ID: 5d16b7828eaf11d960c8ac656b028f5a9f977724c569b04dd6e65618c4195966
Opcode Fuzzy Hash: edc98935fce130e6fa9ac2b5e635b7c0877deb002b922a355bb6732db507eff1
Instruction Fuzzy Hash: AF31B43150D7888FD756DBA8C895AE9BFF0EF57320F0481AFD089D7552C768A409CB51

Function 00007FFD345693A1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ae0f3c01223832a79cf92d71a8b32df0feb896036f63159270d544f661f906
Instruction ID: 7e2a4f4fbd05706fc42040d2fc8477d6ebf57b75f2c1bee24dd3e665aa4ded92
Opcode Fuzzy Hash: 39ae0f3c01223832a79cf92d71a8b32df0feb896036f63159270d544f661f906
Instruction Fuzzy Hash: 5321E121B1CA5D4BEB55B7AC98627E977D5EF5A320F40027AE40CC71D3DE2CA8508792

Function 00007FFD3456116D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1334c0ea7c80e64cbb3f814877694b084e55d6492f9654ec5296637a291d3e0
Instruction ID: 5b019e359da3a64535b29a86ea4e6412be2b407407b41a0bc7a27b80aaa8d05f
Opcode Fuzzy Hash: c1334c0ea7c80e64cbb3f814877694b084e55d6492f9654ec5296637a291d3e0
Instruction Fuzzy Hash: 95210322B0ED8A0FE6AAE72C54641BCA7C1EB9526474403FEC08ED71D7DC6DA9024380

Function 00007FFD34568629 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963d9bb93201d7d0e8c07c8f51e4cc5119bd29c3fec26fadb2a3ca63f9dc4bf7
Instruction ID: d2c8fa85ff09e81ba1ee565f7f851b3e8d298c4c110cc07025db5daa8b49a125
Opcode Fuzzy Hash: 963d9bb93201d7d0e8c07c8f51e4cc5119bd29c3fec26fadb2a3ca63f9dc4bf7
Instruction Fuzzy Hash: 5D319C71A58D1CAFDF95FB6CC4A99A937E1FF59311B00056AE80DC3290DF39A8518B80

Function 00007FFD34561C18 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a1b857a191a7362bb2afff59f17639bf3a5265849a7f34ff7fed59453f4ee4
Instruction ID: edc4d060b3bbbf7895d405e3f88ae363a60f46304331580061b3b9abd4fad739
Opcode Fuzzy Hash: 92a1b857a191a7362bb2afff59f17639bf3a5265849a7f34ff7fed59453f4ee4
Instruction Fuzzy Hash: 2E31A071B58D1D9FDB95FB2CC4999A937E1FF59311B000566E40DC3290DF39A851CB80

Function 00007FFD345694B9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83f295e03963e373d9fbf08b1467c35f39f7b3d529c924049a15cf98fdd3198
Instruction ID: 04a8dee39b1e98b5d9658b4a779769bd001ec03804e2a7b578e0e6e778aa84ff
Opcode Fuzzy Hash: b83f295e03963e373d9fbf08b1467c35f39f7b3d529c924049a15cf98fdd3198
Instruction Fuzzy Hash: 8F212B20F4D5CA0FE746977888726F57BD2EF97321B0410B6D589C71A3CE1C98069791

Function 00007FFD34568963 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056123f4f17fa59e556c237231cc7490359f89a3585b3f859f28eaae1a13f045
Instruction ID: 42be6afeeb8c6d9586e932b9aec6a8c8efe9b9c26f5c28b931f8beb9c27d0ba9
Opcode Fuzzy Hash: 056123f4f17fa59e556c237231cc7490359f89a3585b3f859f28eaae1a13f045
Instruction Fuzzy Hash: 8C11D531F1990A0BEB5CEF6888A92B4B391FF55331F405679D50EC3292DE2DB45687C1

Function 00007FFD34568211 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829e9aaaa5397684b86cab63d6e0dbcaf560ac2529eac1968d0458043a96792f
Instruction ID: 3881b451c808b1c49ffd028ee4a2e12eea9b6114f87c3180f35a670c9e8b0573
Opcode Fuzzy Hash: 829e9aaaa5397684b86cab63d6e0dbcaf560ac2529eac1968d0458043a96792f
Instruction Fuzzy Hash: 54014572E09A4D4FEB51ABA4886A2FE7BF1FF29311F0001BBD108D6192EF3C59048391

Function 00007FFD34561461 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7d5fecc8208283c42205ba5297e41b89157c3cff41290cd000644c39b2d9a4
Instruction ID: b971301e159ecf0f12089ab9e25365d3098503f0b5590fa422184a8eaa8a1c99
Opcode Fuzzy Hash: be7d5fecc8208283c42205ba5297e41b89157c3cff41290cd000644c39b2d9a4
Instruction Fuzzy Hash: 83012655E0CB950FE752AB3C58A14717FF0DF93751B0804AAE9C8C71D3D90CA9458382

Function 00007FFD34561951 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dff800b4b11306b6b78c0256178f747a2955ff5e973c5561ef44976d42aaed
Instruction ID: 3146b62e5530b67845cd87dfd46d8e07b954e663f142fcb031ee5786ec535f48
Opcode Fuzzy Hash: 85dff800b4b11306b6b78c0256178f747a2955ff5e973c5561ef44976d42aaed
Instruction Fuzzy Hash: 34F05E26D4E3C91FE7535B244C715E57FB0AF53210F0D51EBE588CB0A3CA1C690997A2

Function 00007FFD34561C00 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8337c1bb9809cbe6a2fa75a07d1669a5d98e6d27525444ec0adc4463f97abe
Instruction ID: f64c6e5d81cf040d32b036299425d2e673ef0a6de790388c3502314ffe95591a
Opcode Fuzzy Hash: ce8337c1bb9809cbe6a2fa75a07d1669a5d98e6d27525444ec0adc4463f97abe
Instruction Fuzzy Hash: C0F0C231E1591E4AEB50FBE888596FEB7F1FF28301F000177E50DE2195DE3869408791

Function 00007FFD3456204D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5fa23ac963b7f73a269e9dfb20ded7531f3b7efdb3b3e32d81da80dd63446f
Instruction ID: 02c0d84681e5b3057091a815c4b93734bd3a6a1f95bad76f48d49254639d3b8c
Opcode Fuzzy Hash: de5fa23ac963b7f73a269e9dfb20ded7531f3b7efdb3b3e32d81da80dd63446f
Instruction Fuzzy Hash: 07F02811F0C6424FF776737844B62782680AF56321F5510F9E68DC72D3DD5D6841E342

Function 00007FFD3456886C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b095fcf2e44387f0a79f41ff7bbd72d051d07778dda87283ca23f9247c1fc3f8
Instruction ID: cea66cbc9c37018b85df760230a64ba2df04ccc8b6e360dd36c8babc1518cb0e
Opcode Fuzzy Hash: b095fcf2e44387f0a79f41ff7bbd72d051d07778dda87283ca23f9247c1fc3f8
Instruction Fuzzy Hash: C7E0683191E94C4BDF05AA5CA8106D9BBA0FB8A31CF04007AE62CC2080D33D5450C351

Non-executed Functions

Function 00007FFD34563038 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8b83f2201b9c7e814519c96f3bc21264fdc25a2a5433c43f27446632b4ccad
Instruction ID: b24bd3361d8ff46b48856e2655aa52dc90418ac9ee0fae1301c2f39638881a59
Opcode Fuzzy Hash: 9a8b83f2201b9c7e814519c96f3bc21264fdc25a2a5433c43f27446632b4ccad
Instruction Fuzzy Hash: 94D1E730A08A4D8FDB69DF68C8557F97BE1FB55321F04426EE44DC3292CF78A8458B81

Function 00007FFD34564B3D Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e72a5f712acf3c4ad91778d280b5549d9a20a66b02aff115546158c235d8ac7
Instruction ID: c79ca4df62d3d7cffd4997bf5e6294e5b5357d5e44bee5081fd5ca351578e759
Opcode Fuzzy Hash: 0e72a5f712acf3c4ad91778d280b5549d9a20a66b02aff115546158c235d8ac7
Instruction Fuzzy Hash: 72C1B631E0CB4C4FDB19DBA898566EDBBE1EF96321F04426ED049D3292CA786845CB91

Function 00007FFD3456405D Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8304eb1fa1771bbfe97ca330e84861c4e7d1d65f3a5f8e2a3756a327840e893f
Instruction ID: 7ee5b9ba246b72158a64eb40135a5d621fba0b8c8fa903fd5ea25ddafa4c6ef3
Opcode Fuzzy Hash: 8304eb1fa1771bbfe97ca330e84861c4e7d1d65f3a5f8e2a3756a327840e893f
Instruction Fuzzy Hash: 63C1E430A0CA5C4FDB69DBA888557E9BBB1FF56311F0442AED04DD3292CF78A945CB81

Function 00007FFD34565B65 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cc654169fb800698414564f9ace3cfc00987abce80eb535ac6d1005053760f
Instruction ID: da4d5a8f7e6772d47f213886572e70fbfeebfc9767e9993d99269279c93ea7e9
Opcode Fuzzy Hash: 42cc654169fb800698414564f9ace3cfc00987abce80eb535ac6d1005053760f
Instruction Fuzzy Hash: 8991C331E0CA8C4FDB59DBA898557F9BBF1EF56321F0441AED04AD3292CE786845CB81

Function 00007FFD34564884 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b8ce7ec98b842affe2840a195882b5e634ad6141e001b62266c76e80b28da8
Instruction ID: 34fc725013634ff12306018f4a575fa4d16e0962a89231ce654ffe28b8d4f5d1
Opcode Fuzzy Hash: 24b8ce7ec98b842affe2840a195882b5e634ad6141e001b62266c76e80b28da8
Instruction Fuzzy Hash: 7D91E831E0CB4C4FDB59EBA898556EDBBE1EB96321F04826FD04DD3252CE74A845CB81

Function 00007FFD34561DFA Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4550005299.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34560000_TcQOmn7lnP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d90496976d4f971ecf21bab57683b512e194fd429016d1d4ecf434e7a10bec8
Instruction ID: a41acc1ed3ad51d1cce584f1bdc4e8a6c30b3d248a64c3a6e9b958838359835d
Opcode Fuzzy Hash: 5d90496976d4f971ecf21bab57683b512e194fd429016d1d4ecf434e7a10bec8
Instruction Fuzzy Hash: 4991B396E0D7C51EEB63976858B60E67FE0DF2322470A12FBC5D5CA093ED0D5806A352

Analysis Process: FileExplorer.exePID: 7132, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD34570BFE Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

}F4, xrefs: 00007FFD34570D89

Memory Dump Source

Source File: 00000002.00000002.2275409673.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34570000_FileExplorer.jbxd

Similarity

API ID:
String ID: }F4
API String ID: 0-4041336387
Opcode ID: b6cbdecfa87c35e9ae1a966a0b4ea6ef044666ec93ab9830487125536dff453a
Instruction ID: 6c71604cfdae98844197fc293caf550944ba63acade54814dc175df0852298bb
Opcode Fuzzy Hash: b6cbdecfa87c35e9ae1a966a0b4ea6ef044666ec93ab9830487125536dff453a
Instruction Fuzzy Hash: 5F711822F1DA4A0FE796A76C98661B97FE2EF86611F4440BAD04DD3193CD6CAC028391

Function 00007FFD34570E79 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2275409673.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34570000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2c9fdf8f1624987415e44c1a491aec2d9b9f1ca602a8655a81755a5a364785
Instruction ID: ff45c7dbce0469f27ce71b88a6fe0a5bcaffacb2870629e0a896fe9807d4ddeb
Opcode Fuzzy Hash: 1f2c9fdf8f1624987415e44c1a491aec2d9b9f1ca602a8655a81755a5a364785
Instruction Fuzzy Hash: 08916431F1DA594FEB99A77484B96A97BE2FF89300F804478E40ED72D2DE2CAC118751

Function 00007FFD34570A91 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2275409673.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34570000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be59e06d707e5eff2bbe0660c7fdacaf4adaeee73481a830c81061b062be1fca
Instruction ID: eb56b262d60942f0efbd9b959024c9e5bdb1a240987b35321faba5da5f7e137d
Opcode Fuzzy Hash: be59e06d707e5eff2bbe0660c7fdacaf4adaeee73481a830c81061b062be1fca
Instruction Fuzzy Hash: 3531B312F1C9490FFB59ABAC586A3BD7BD2EF99711F044276E00CD3293DD1CA9014391

Function 00007FFD34570949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2275409673.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34570000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c6f89731dc9e6053b46d540ed5a9eb55ce0e33f317a0684fbdbaa0f1bcdb78
Instruction ID: c0f79c39752f30200389e6dcc31b529be4bfbad599c3a890fafc8f509346c541
Opcode Fuzzy Hash: e7c6f89731dc9e6053b46d540ed5a9eb55ce0e33f317a0684fbdbaa0f1bcdb78
Instruction Fuzzy Hash: 2D319E31F1CA0A4FEB55EBA888656EABBE1FF99310F904579D009D72C2CE2CA8418751

Function 00007FFD34571365 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2275409673.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34570000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a4dae16e7fd7b2ab27c64fb9dcc8dcfcec4a0f8b34e7288d987c20a85015a7
Instruction ID: 902804207a9c2971189421735165e24b6baf2162f101b36a824c55a30d099a30
Opcode Fuzzy Hash: c4a4dae16e7fd7b2ab27c64fb9dcc8dcfcec4a0f8b34e7288d987c20a85015a7
Instruction Fuzzy Hash: 6D316421B1C9494FE798EB6C946A378B6C2EF9D315F0405BEE04ED32A7DE68DC418741

Function 00007FFD34571461 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2275409673.00007FFD34570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd34570000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c934e19836467cda05a702aedbc3700d6119be44889a7bbc51a21bce0294886
Instruction ID: 20981530808f69a12ad9cf35ba5afdff1af6f957f2d63dae49684a0624991b8c
Opcode Fuzzy Hash: 9c934e19836467cda05a702aedbc3700d6119be44889a7bbc51a21bce0294886
Instruction Fuzzy Hash: 9D014945E4C7950FE752AB3C1CA5071BFF2DF93700B0844BAE588CB1D7D90CA9458392

Analysis Process: FileExplorer.exePID: 3544, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD34540E79 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD34541016

Memory Dump Source

Source File: 00000006.00000002.2355370928.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34540000_FileExplorer.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f34b6f50c8c0954783e68a46f77593bb0682318f838bef3749c2f81219fa4116
Instruction ID: adfa7af67ae77408f826c45dc52b00bfb9b117d831bdf1c0a029c302b658af05
Opcode Fuzzy Hash: f34b6f50c8c0954783e68a46f77593bb0682318f838bef3749c2f81219fa4116
Instruction Fuzzy Hash: 56915031F196494FE799AB7880B96BD76A2EF89310F900478E80ED73C2DE2DAC418750

Function 00007FFD34540BFE Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

}C4, xrefs: 00007FFD34540D89

Memory Dump Source

Source File: 00000006.00000002.2355370928.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34540000_FileExplorer.jbxd

Similarity

API ID:
String ID: }C4
API String ID: 0-2375422470
Opcode ID: 2e8cdde15ebf18ff3bddbb1174dc26ca99e0b6b6deea93b62cf6cc2c23c8ee24
Instruction ID: a05f435f06d38bcd96f042e98c498d748a6c07fcfabf31586edfd9b7406d431f
Opcode Fuzzy Hash: 2e8cdde15ebf18ff3bddbb1174dc26ca99e0b6b6deea93b62cf6cc2c23c8ee24
Instruction Fuzzy Hash: 1B713B23F0D94A0FE796A76884661B97BE2EF8A611F5400BAD04DD72D3CD2C6C468351

Function 00007FFD34540A91 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2355370928.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34540000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa9a94371d8442fd6baa18f715611f7bcc8456f958197a290efbdee7414aceb
Instruction ID: b52223e1556f85b85c7beff5f1eff0c813ef1f34990235379db1ce92c76ae447
Opcode Fuzzy Hash: 7aa9a94371d8442fd6baa18f715611f7bcc8456f958197a290efbdee7414aceb
Instruction Fuzzy Hash: 1A318212F1C9494BFB95A7AC586A3BD77D2EB99701F14017AE00CD72D3DD1CAC018391

Function 00007FFD34540949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2355370928.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34540000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc833c1bf4cd7d95b73a7eee75ef51321d36eb290ab8a82279431b8fc390b3d
Instruction ID: e3ffc7c33363afcd61a2910ff9eda37e906c402039a4f5abe0c86efaab23faac
Opcode Fuzzy Hash: ccc833c1bf4cd7d95b73a7eee75ef51321d36eb290ab8a82279431b8fc390b3d
Instruction Fuzzy Hash: 04318031B5C64A4FEB54EBA8C4656F9B7A1FF99300F500579D009D73D2CE3CA8458741

Function 00007FFD34541365 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2355370928.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34540000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e8a18fcb519560bfca796a2ba6c5ebf2f3a603dd0e26d68890144ea9e58e88
Instruction ID: 63fc6ad55f71ee33a4ba083d4cbe90980fded5cbd76694d13943cdf8f4c5ca3f
Opcode Fuzzy Hash: 47e8a18fcb519560bfca796a2ba6c5ebf2f3a603dd0e26d68890144ea9e58e88
Instruction Fuzzy Hash: B3315221B1C9494FE798EB6C946A378B2C2EB9D315F0405BEE04ED32A7DE68AC418741

Function 00007FFD34541461 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2355370928.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd34540000_FileExplorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1982329922e9d528f1cc84984fc6bae15bed15818b6ce2a41a43d50f2de7bab
Instruction ID: b379d4e29dc33464e17bc8e859bcd7a37552456319c363e9c9d118973cfcd00d
Opcode Fuzzy Hash: b1982329922e9d528f1cc84984fc6bae15bed15818b6ce2a41a43d50f2de7bab
Instruction Fuzzy Hash: C5012645E0C7950FE752AB3C18A50717FF09B93700B0804BAE988CA2D7D90CA9458392

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TcQOmn7lnP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileExplorer.exe.log

C:\Users\user\AppData\Roaming\FileExplorer.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
TcQOmn7lnP.exe