Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe

Overview

General Information

Sample name:17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe
Analysis ID:1430138
MD5:f2c8f168ab79a0fadb6234b193c52255
SHA1:ea8f5594f5c3d0e0e317828d8a0316c20b21f1d8
SHA256:02f1e7955a182f8488b636ec84999bf14b186905e84e3dc796a8eeb1dc84177f
Tags:base64-decodedexe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["aprilxrwonew8450.duckdns.org"], "Port": "8450", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x70c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7161:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7276:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6d70:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6ec4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6f61:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7076:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x6b70:$cnc4: POST / HTTP/1.1
      00000000.00000002.2960481827.00000000028B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe PID: 7100JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe.3c0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe.3c0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x70c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7161:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7276:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x6d70:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:04/23/24-08:13:20.288518
            SID:2852870
            Source Port:8450
            Destination Port:49712
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/23/24-08:13:07.503950
            SID:2855924
            Source Port:49712
            Destination Port:8450
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/23/24-08:13:20.288518
            SID:2852874
            Source Port:8450
            Destination Port:49712
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["aprilxrwonew8450.duckdns.org"], "Port": "8450", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
            Multi AV Scanner detection for submitted file
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeReversingLabs: Detection: 78%
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeVirustotal: Detection: 67%Perma Link
            Machine Learning detection for sample
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeString decryptor: aprilxrwonew8450.duckdns.org
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeString decryptor: 8450
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeString decryptor: <123456789>
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeString decryptor: USB.exe
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Xml.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdbMZ source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Drawing.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Xml.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Core.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdbh-J source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2959782381.0000000000983000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B430000.00000004.00000020.00020000.00000000.sdmp, 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp, WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbl source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdbSystem.Core.dll source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Drawing.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.pdbP source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: mscorlib.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Management.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.PDB source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.5:49712 -> 134.255.217.251:8450
            Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 134.255.217.251:8450 -> 192.168.2.5:49712
            Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 134.255.217.251:8450 -> 192.168.2.5:49712
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: aprilxrwonew8450.duckdns.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: aprilxrwonew8450.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.5:49712 -> 134.255.217.251:8450
            Source: Joe Sandbox ViewASN Name: ACTIVE-SERVERSactive-serverscomDE ACTIVE-SERVERSactive-serverscomDE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: aprilxrwonew8450.duckdns.org
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2960481827.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeCode function: 0_2_00007FF848F29A7D0_2_00007FF848F29A7D
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeCode function: 0_2_00007FF848F272920_2_00007FF848F27292
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeCode function: 0_2_00007FF848F264E60_2_00007FF848F264E6
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1572
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaprilxrwonew8450.exe4 vs 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeBinary or memory string: OriginalFilenameaprilxrwonew8450.exe4 vs 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@22/1
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\0VZWHbNr1OapRPc5
            Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4f770d6f-30a5-4dc4-9900-70ec29208c63Jump to behavior
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeReversingLabs: Detection: 78%
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeVirustotal: Detection: 67%
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeFile read: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe "C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe"
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1572
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Xml.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdbMZ source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Drawing.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Configuration.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Xml.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Core.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: mscorlib.pdbh-J source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2959782381.0000000000983000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B430000.00000004.00000020.00020000.00000000.sdmp, 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp, WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbl source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdbSystem.Core.dll source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Drawing.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Management.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: Microsoft.VisualBasic.pdbP source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: mscorlib.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Management.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B493000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.PDB source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962111283.000000001B319000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER96BA.tmp.dmp.6.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER96BA.tmp.dmp.6.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeCode function: 0_2_00007FF848F224ED push ebx; iretd 0_2_00007FF848F2250A
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeCode function: 0_2_00007FF848F224F8 push ebx; iretd 0_2_00007FF848F2250A
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMemory allocated: 1A8B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeWindow / User API: threadDelayed 8726Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeWindow / User API: threadDelayed 1058Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe TID: 7128Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe TID: 5808Thread sleep time: -27670116110564310s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe TID: 6052Thread sleep count: 8726 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe TID: 6052Thread sleep count: 1058 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.6.drBinary or memory string: VMware
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.6.drBinary or memory string: vmci.sys
            Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.6.drBinary or memory string: VMware20,1
            Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B469000.00000004.00000020.00020000.00000000.sdmp, 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2962178051.000000001B422000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2960481827.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe PID: 7100, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2960481827.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe PID: 7100, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		1
            Disable or Modify Tools            		1
            Input Capture            		31
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture21
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe79%ReversingLabsByteCode-MSIL.Trojan.XWorm
            17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe68%VirustotalBrowse
            17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe100%AviraTR/Spy.Gen
            17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            aprilxrwonew8450.duckdns.org3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            aprilxrwonew8450.duckdns.org3%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            aprilxrwonew8450.duckdns.org
            		134.255.217.251
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            aprilxrwonew8450.duckdns.orgtrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.6.drfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe, 00000000.00000002.2960481827.00000000028B1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                134.255.217.251
                		aprilxrwonew8450.duckdns.orgGermany
                		197071ACTIVE-SERVERSactive-serverscomDEtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1430138
                Start date and time:2024-04-23 08:11:21 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 24s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@2/5@22/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 4
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.189.173.22
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Report size getting too big, too many NtSetInformationFile calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                08:12:08API Interceptor1768803x Sleep call for process: 17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe modified
                08:13:44API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                134.255.217.25172625413524.vbsGet hashmaliciousXWormBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  aprilxrwonew8450.duckdns.org72625413524.vbsGet hashmaliciousXWormBrowse
                  • 134.255.217.251

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ACTIVE-SERVERSactive-serverscomDE72625413524.vbsGet hashmaliciousXWormBrowse
                  • 134.255.217.251
                  ft1i6jvAdD.exeGet hashmaliciousXmrigBrowse
                  • 134.255.231.136
                  huhu.mips.elfGet hashmaliciousMirai, OkiruBrowse
                  • 95.156.228.183
                  1B8943B2CCEA3EE9E464B5865711DB721BAE33CA03646.exeGet hashmaliciousBazaLoader, SmokeLoaderBrowse
                  • 134.255.232.95
                  Summaryform_XsssmAVjTv.wsfGet hashmaliciousAsyncRAT, zgRATBrowse
                  • 134.255.225.46
                  http://vps-zap756882-1.zap-srv.comGet hashmaliciousUnknownBrowse
                  • 134.255.234.208
                  3fB3EuUEe7.exeGet hashmaliciousQuasarBrowse
                  • 134.255.254.225
                  dl2.exeGet hashmaliciousUnknownBrowse
                  • 31.214.240.203
                  mpsl.elfGet hashmaliciousMiraiBrowse
                  • 95.156.228.199
                  KY40Vey3Ml.elfGet hashmaliciousMiraiBrowse
                  • 95.156.228.196

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_32X35O1GVFF441YB_b619331d6ebfaa752cb39228ca38361cc95838_cdc271f5_2bffae22-1b23-4138-931c-592607ee6959\Report.wer

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.3178252901695047
                  Encrypted:false
                  SSDEEP:384:Sj0Rovm2DCI81i5Jxa48iYdnzuiF9Y4lO8IOB:8TCI81ihaBtzuiF9Y4lO8
                  MD5:E19F3D7C33B789A9104E549CACF12420
                  SHA1:3D2DA9436E3EF2601F79335CCAB1A21BB876E9C0
                  SHA-256:1E333933AC49E070B802509FE9854AF77E6A367C50579EB09EDCED09D9D2194E
                  SHA-512:46050C12B399346BA0A3D9F63559C4DED78E7B7BE529684347FF8D37F374D49DCA7923D2012332E3C02228D09469E2FBC16EFD69ECEB1B9FDDC36E2E1CB7684F
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.2.6.4.1.5.3.8.4.8.0.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.2.6.4.1.6.1.3.4.8.0.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.f.f.a.e.2.2.-.1.b.2.3.-.4.1.3.8.-.9.3.1.c.-.5.9.2.6.0.7.e.e.6.9.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.c.6.c.5.4.1.-.8.1.f.5.-.4.c.1.4.-.8.a.f.8.-.8.f.2.5.9.8.9.a.b.2.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.1.7.1.3.8.5.2.0.6.7.4.5.9.5.6.2.9.f.0.3.6.0.9.2.0.8.3.c.d.6.f.6.7.b.d.b.e.7.3.6.9.6.3.8.0.7.6.e.0.b.4.4.3.5.b.e.5.5.a.c.1.0.7.6.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.p.r.i.l.x.r.w.o.n.e.w.8.4.5.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.4.-.f.4.6.f.-.a.0.2.b.4.5.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.0.c.6.f.6.e.e.3.3.b.e.2.1.4.5.3.6.e.7.d.e.f.7.c.3.e.0.c.d.c.9.0.0.0.0.0.0.0.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER96BA.tmp.dmp

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Mini DuMP crash report, 16 streams, Tue Apr 23 06:13:35 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):517874
                  Entropy (8bit):3.164945325571048
                  Encrypted:false
                  SSDEEP:3072:An7TaH72HgY3Pf4xX6S6VcSm4UF71CCq4FjMe3+vNQgRhz59UDE:i7TaH72Hj3uX6S61m4UNqo53QNQqX9
                  MD5:31D46D75196EB385E61EA6468FAF08A7
                  SHA1:BF839ADCFAD8EA61FEC43BD83588B7732C0726A3
                  SHA-256:B82C2E16B990EF6483DE7B8305BFB0B16F0B91DBA3992C4DDB1C89380F63A40E
                  SHA-512:1EFB2F309083640AAA1B209E88DDE986CAACAF0E84E7A8D06260C5450EAF6EED1248E6E205EBFFC1A66BCBB76E8F0187C6F5870D4543F24660C9EC6A7B28114F
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... ........Q'f........................d...$.......$....(...........(.......=..............l.......8...........T............=..*...........p6..........\8..............................................................................eJ.......8......Lw......................T...........7Q'f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER989F.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):9080
                  Entropy (8bit):3.7123802078139647
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJv7Cges6YEI4giIgmfZRxd8Xpr289bBqz6FfzjLm:R6lXJzlV6YEnglgmfPbcBu6Ffi
                  MD5:1C4F0B9A724F5BD54E98D3592C3CC816
                  SHA1:348A350FD404834B4410332E257CF38DCC44E61F
                  SHA-256:84049CA490090483E3F4CB9EE1BCA38CE98440FDA494C3D57A64A689B5BE688B
                  SHA-512:03BF4A71F2E737BBF86C285831239D3D798EA3AB0727FE3E5CC77086B9ABB84B7EFAAB44F2811B36BB0AB21BC0522F1E26D3918852847F995BC15DF59B8EE221
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER98DF.tmp.xml

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):5051
                  Entropy (8bit):4.5833514820012775
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zs5Jg771I9j4WpW8VY3Ym8M4JZg3oFXQ9yq8vt0X7UJy5yOrd:uIjfLI78x7VLJyWqX7UAQOrd
                  MD5:752678548C59D6CDD503EC0AB2A72A46
                  SHA1:972AC5631949B5011901C55BF1286F32B158B50E
                  SHA-256:D303ACCF905ADA421E8D723216DF9449353C444B562ABB45BA024C6FE56F5431
                  SHA-512:3B89A379C6A163B11E7C06021E6246086E7298624D917DF1FEF283DECC4DCDDF364782C088C3AFED5AF30AA4D1C41B5D3F0992261EDBBFE1E3088BFB0DF67B22
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292156" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.422180960938102
                  Encrypted:false
                  SSDEEP:6144:iSvfpi6ceLP/9skLmb0OTQWSPHaJG8nAgeMZMMhA2fX4WABlEnNG0uhiTw:xvloTQW+EZMM6DFys03w
                  MD5:DF9748F944C827DD2CEA7DCC85C87AA9
                  SHA1:5C60984A60FFC493B51D9C90918B63497B3ADB01
                  SHA-256:1A8457334E26273756579248BF04DCBBE5B941497021AF867F75F2C1B7581AC9
                  SHA-512:8919F7A5E68D42D8A7AB2FB8E319C5C2BAE9364BF11FFA5AC27AE41FB763BFF3C9F1FBE9C7F0487924D271D6FD4289228AC82364EDC04E6E14691CE9F98912FD
                  Malicious:false
                  Reputation:low
                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..._E...............................................................................................................................................................................................................................................................................................................................................a..k........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.5558514274806665
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe
                  File size:34'816 bytes
                  MD5:f2c8f168ab79a0fadb6234b193c52255
                  SHA1:ea8f5594f5c3d0e0e317828d8a0316c20b21f1d8
                  SHA256:02f1e7955a182f8488b636ec84999bf14b186905e84e3dc796a8eeb1dc84177f
                  SHA512:5ec1c4d1f22fd304166d94fd227c16630e1574ae0281dab8dd92ed74f82b91a345999131a464bcb7b51fb1b0d5dfeb94180b7a4abc3dc2a593802f732ae62575
                  SSDEEP:768:o4fK1pDGkptwyZScCBSUapNgqlrU/kZB+Bcg4tlTF592unO9hJSURG:4DGkptwyZScCkU4rFUsZIB54HF592qO+
                  TLSH:C6F22A487FE4822ACAFE2BF529F2661503B4D503EA13D75E18D8459A6F37BC08D013E6
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a&f.................~............... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x409bfe
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x662661E7 [Mon Apr 22 13:11:03 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9bb00x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x500.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x7c040x7e00e0ca28046e78a561b11f7ac7d51ebbeaFalse0.49618675595238093data5.6961191411544485IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xa0000x5000x6008950cfec307854250d6eb59d021ac9adFalse0.3815104166666667data3.789894194592707IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xc0000xc0x200064217dac52cd36d16d6abd04b448fd6False0.041015625data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0xa0a00x26cdata0.4596774193548387
                  RT_MANIFEST0xa3100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  04/23/24-08:13:20.288518TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes845049712134.255.217.251192.168.2.5
                  04/23/24-08:13:07.503950TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497128450192.168.2.5134.255.217.251
                  04/23/24-08:13:20.288518TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2845049712134.255.217.251192.168.2.5

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 23, 2024 08:12:52.741617918 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:12:52.909832954 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:12:52.909972906 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:12:53.077332973 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:12:53.288268089 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:13:07.503950119 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:13:07.727294922 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:13:20.288517952 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:13:20.338387966 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:13:21.854366064 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:13:22.069516897 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:13:27.104613066 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:13:27.335145950 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:13:32.261490107 CEST497128450192.168.2.5134.255.217.251
                  Apr 23, 2024 08:13:32.475910902 CEST845049712134.255.217.251192.168.2.5
                  Apr 23, 2024 08:13:45.081897974 CEST497128450192.168.2.5134.255.217.251

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 23, 2024 08:12:09.893205881 CEST5127353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:10.885654926 CEST5127353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:11.885720968 CEST5127353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:13.901439905 CEST5127353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:13.984239101 CEST53512731.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:13.984258890 CEST53512731.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:13.984272003 CEST53512731.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:13.989425898 CEST53512731.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:14.106355906 CEST5312353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:14.195065975 CEST53531231.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:21.824253082 CEST5043753192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:22.823151112 CEST5043753192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:24.907093048 CEST5043753192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:25.915754080 CEST53504371.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:25.915776968 CEST53504371.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:25.915790081 CEST53504371.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:28.997531891 CEST5163153192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:29.997648001 CEST5163153192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:31.010735989 CEST5163153192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:33.010482073 CEST5163153192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:33.089382887 CEST53516311.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:33.089428902 CEST53516311.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:33.089483023 CEST53516311.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:33.098712921 CEST53516311.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:37.136614084 CEST6135653192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:38.136619091 CEST6135653192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:39.135896921 CEST6135653192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:41.151401997 CEST6135653192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:41.229538918 CEST53613561.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:41.229597092 CEST53613561.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:41.229613066 CEST53613561.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:41.239721060 CEST53613561.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:42.538690090 CEST5552353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:43.526109934 CEST5552353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:44.541723967 CEST5552353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:46.557382107 CEST5552353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:46.629349947 CEST53555231.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:46.629401922 CEST53555231.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:46.629417896 CEST53555231.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:46.645359039 CEST53555231.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:51.120903969 CEST6392353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:52.135564089 CEST6392353192.168.2.51.1.1.1
                  Apr 23, 2024 08:12:52.735671997 CEST53639231.1.1.1192.168.2.5
                  Apr 23, 2024 08:12:52.735722065 CEST53639231.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Apr 23, 2024 08:12:09.893205881 CEST192.168.2.51.1.1.10x62a8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:10.885654926 CEST192.168.2.51.1.1.10x62a8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:11.885720968 CEST192.168.2.51.1.1.10x62a8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:13.901439905 CEST192.168.2.51.1.1.10x62a8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:14.106355906 CEST192.168.2.51.1.1.10xa084Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:21.824253082 CEST192.168.2.51.1.1.10x35d8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:22.823151112 CEST192.168.2.51.1.1.10x35d8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:24.907093048 CEST192.168.2.51.1.1.10x35d8Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:28.997531891 CEST192.168.2.51.1.1.10x4aafStandard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:29.997648001 CEST192.168.2.51.1.1.10x4aafStandard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:31.010735989 CEST192.168.2.51.1.1.10x4aafStandard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:33.010482073 CEST192.168.2.51.1.1.10x4aafStandard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:37.136614084 CEST192.168.2.51.1.1.10x963Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:38.136619091 CEST192.168.2.51.1.1.10x963Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:39.135896921 CEST192.168.2.51.1.1.10x963Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:41.151401997 CEST192.168.2.51.1.1.10x963Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:42.538690090 CEST192.168.2.51.1.1.10xfe37Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:43.526109934 CEST192.168.2.51.1.1.10xfe37Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:44.541723967 CEST192.168.2.51.1.1.10xfe37Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:46.557382107 CEST192.168.2.51.1.1.10xfe37Standard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:51.120903969 CEST192.168.2.51.1.1.10xc62bStandard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:52.135564089 CEST192.168.2.51.1.1.10xc62bStandard query (0)aprilxrwonew8450.duckdns.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Apr 23, 2024 08:12:13.984239101 CEST1.1.1.1192.168.2.50x62a8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:13.984258890 CEST1.1.1.1192.168.2.50x62a8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:13.984272003 CEST1.1.1.1192.168.2.50x62a8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:13.989425898 CEST1.1.1.1192.168.2.50x62a8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:14.195065975 CEST1.1.1.1192.168.2.50xa084Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:25.915754080 CEST1.1.1.1192.168.2.50x35d8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:25.915776968 CEST1.1.1.1192.168.2.50x35d8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:25.915790081 CEST1.1.1.1192.168.2.50x35d8Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:33.089382887 CEST1.1.1.1192.168.2.50x4aafServer failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:33.089428902 CEST1.1.1.1192.168.2.50x4aafServer failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:33.089483023 CEST1.1.1.1192.168.2.50x4aafServer failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:33.098712921 CEST1.1.1.1192.168.2.50x4aafServer failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:41.229538918 CEST1.1.1.1192.168.2.50x963Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:41.229597092 CEST1.1.1.1192.168.2.50x963Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:41.229613066 CEST1.1.1.1192.168.2.50x963Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:41.239721060 CEST1.1.1.1192.168.2.50x963Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:46.629349947 CEST1.1.1.1192.168.2.50xfe37Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:46.629401922 CEST1.1.1.1192.168.2.50xfe37Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:46.629417896 CEST1.1.1.1192.168.2.50xfe37Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:46.645359039 CEST1.1.1.1192.168.2.50xfe37Server failure (2)aprilxrwonew8450.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:52.735671997 CEST1.1.1.1192.168.2.50xc62bNo error (0)aprilxrwonew8450.duckdns.org134.255.217.251A (IP address)IN (0x0001)false
                  Apr 23, 2024 08:12:52.735722065 CEST1.1.1.1192.168.2.50xc62bNo error (0)aprilxrwonew8450.duckdns.org134.255.217.251A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:08:12:07
                  Start date:23/04/2024
                  Path:C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7e163552.dat-decoded.exe"
                  Imagebase:0x3c0000
                  File size:34'816 bytes
                  MD5 hash:F2C8F168AB79A0FADB6234B193C52255
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1995534590.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2960481827.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:6
                  Start time:08:13:35
                  Start date:23/04/2024
                  Path:C:\Windows\System32\WerFault.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7100 -s 1572
                  Imagebase:0x7ff6bd890000
                  File size:570'736 bytes
                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:18.8%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:3
                    Total number of Limit Nodes:0
                    execution_graph 3652 7ff848f22608 3654 7ff848f22611 SetWindowsHookExW 3652->3654 3655 7ff848f226e1 3654->3655

                    Executed Functions

                    Function 00007FF848F29A7D Relevance: .8, Instructions: 840COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 47 7ff848f29a7d-7ff848f29a82 48 7ff848f29a85-7ff848f29a89 47->48 48->48 49 7ff848f29a8b-7ff848f29aa5 48->49 51 7ff848f29aef-7ff848f29b02 49->51 52 7ff848f29aa7-7ff848f29ab2 call 7ff848f205c8 49->52 53 7ff848f29b3a 51->53 54 7ff848f29b04-7ff848f29b21 51->54 56 7ff848f29ab7-7ff848f29aec 52->56 58 7ff848f29b3f-7ff848f29b54 53->58 54->58 59 7ff848f29b23-7ff848f29b35 call 7ff848f205d8 54->59 56->51 63 7ff848f29b86-7ff848f29b9b 58->63 64 7ff848f29b56-7ff848f29b81 58->64 77 7ff848f2a54d-7ff848f2a55d 59->77 71 7ff848f29bae-7ff848f29bc3 63->71 72 7ff848f29b9d-7ff848f29ba9 call 7ff848f27b10 63->72 64->77 79 7ff848f29c19-7ff848f29c2e 71->79 80 7ff848f29bc5-7ff848f29bc8 71->80 72->77 85 7ff848f29c7f-7ff848f29c94 79->85 86 7ff848f29c30-7ff848f29c33 79->86 80->53 82 7ff848f29bce-7ff848f29bd9 80->82 82->53 83 7ff848f29bdf-7ff848f29c14 call 7ff848f205b0 call 7ff848f27b10 82->83 83->77 92 7ff848f29cd1-7ff848f29ce6 85->92 93 7ff848f29c96-7ff848f29c99 85->93 86->53 87 7ff848f29c39-7ff848f29c44 86->87 87->53 89 7ff848f29c4a-7ff848f29c7a call 7ff848f205b0 call 7ff848f22970 87->89 89->77 102 7ff848f29d8a-7ff848f29d9f 92->102 103 7ff848f29cec-7ff848f29d04 call 7ff848f20538 92->103 93->53 96 7ff848f29c9f-7ff848f29ccc call 7ff848f205b0 call 7ff848f22978 93->96 96->77 110 7ff848f29dbe-7ff848f29dd3 102->110 111 7ff848f29da1-7ff848f29da4 102->111 103->53 122 7ff848f29d0a-7ff848f29d42 call 7ff848f27b20 103->122 125 7ff848f29df5-7ff848f29e0a 110->125 126 7ff848f29dd5-7ff848f29dd8 110->126 111->53 115 7ff848f29daa-7ff848f29db9 call 7ff848f22950 111->115 115->77 122->53 142 7ff848f29d48-7ff848f29d85 call 7ff848f27b30 122->142 131 7ff848f29e2a-7ff848f29e3f 125->131 132 7ff848f29e0c-7ff848f29e25 125->132 126->53 128 7ff848f29dde-7ff848f29df0 call 7ff848f22950 126->128 128->77 139 7ff848f29e5f-7ff848f29e74 131->139 140 7ff848f29e41-7ff848f29e5a 131->140 132->77 147 7ff848f29e76-7ff848f29e8f 139->147 148 7ff848f29e94-7ff848f29ea9 139->148 140->77 142->77 147->77 152 7ff848f29f49-7ff848f29f5e 148->152 153 7ff848f29eaf-7ff848f29f27 148->153 158 7ff848f29f60-7ff848f29f71 152->158 159 7ff848f29f76-7ff848f29f8b 152->159 153->53 181 7ff848f29f2d-7ff848f29f44 153->181 158->77 165 7ff848f2a02b-7ff848f2a040 159->165 166 7ff848f29f91-7ff848f2a009 159->166 171 7ff848f2a058-7ff848f2a06d 165->171 172 7ff848f2a042-7ff848f2a053 165->172 166->53 197 7ff848f2a00f-7ff848f2a026 166->197 179 7ff848f2a0ae-7ff848f2a0c3 171->179 180 7ff848f2a06f-7ff848f2a0a9 call 7ff848f20e80 call 7ff848f28a30 171->180 172->77 186 7ff848f2a0d7-7ff848f2a0ec 179->186 187 7ff848f2a0c5-7ff848f2a0d2 call 7ff848f28a30 179->187 180->77 181->77 195 7ff848f2a0ee-7ff848f2a128 call 7ff848f20e80 call 7ff848f28a30 186->195 196 7ff848f2a12d-7ff848f2a142 186->196 187->77 195->77 203 7ff848f2a148-7ff848f2a159 196->203 204 7ff848f2a1cf-7ff848f2a1e4 196->204 197->77 203->53 211 7ff848f2a15f-7ff848f2a16f call 7ff848f205a8 203->211 213 7ff848f2a1e6-7ff848f2a1e9 204->213 214 7ff848f2a234-7ff848f2a249 204->214 221 7ff848f2a1ad-7ff848f2a1ca call 7ff848f205a8 call 7ff848f205b0 call 7ff848f22928 211->221 222 7ff848f2a171-7ff848f2a1a8 call 7ff848f28a30 211->222 213->53 216 7ff848f2a1ef-7ff848f2a22f call 7ff848f205a0 call 7ff848f205b0 call 7ff848f22928 213->216 223 7ff848f2a24b-7ff848f2a2b2 call 7ff848f20e80 call 7ff848f28a30 214->223 224 7ff848f2a2b7-7ff848f2a2cc 214->224 216->77 221->77 222->77 223->77 233 7ff848f2a4fa-7ff848f2a50f 224->233 234 7ff848f2a2d2-7ff848f2a30e 224->234 233->77 249 7ff848f2a511-7ff848f2a514 233->249 249->53 254 7ff848f2a51a-7ff848f2a54c 249->254 254->77
                    Memory Dump Source
                    • Source File: 00000000.00000002.2962948177.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff848f20000_17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 65f4c86f3157ab7f4e9b287db99a6a218395a343a582d1e62e311f9f43bc8338
                    • Instruction ID: 1190ae24d241f1ca434a83fba0dca2953e8d7469f7fd82d2486680d3b5346b1a
                    • Opcode Fuzzy Hash: 65f4c86f3157ab7f4e9b287db99a6a218395a343a582d1e62e311f9f43bc8338
                    • Instruction Fuzzy Hash: 74424E31B1C9098FEB94FB389456A7973E2EF99390F504979D41EC32C6DF29E8828744
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF848F264E6 Relevance: .5, Instructions: 472COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 265 7ff848f264e6-7ff848f264f3 266 7ff848f264fe-7ff848f265c7 265->266 267 7ff848f264f5-7ff848f264fd 265->267 271 7ff848f265c9-7ff848f265d2 266->271 272 7ff848f26633 266->272 267->266 271->272 273 7ff848f265d4-7ff848f265e0 271->273 274 7ff848f26635-7ff848f2665a 272->274 275 7ff848f26619-7ff848f26631 273->275 276 7ff848f265e2-7ff848f265f4 273->276 281 7ff848f2665c-7ff848f26665 274->281 282 7ff848f266c6 274->282 275->274 277 7ff848f265f8-7ff848f2660b 276->277 278 7ff848f265f6 276->278 277->277 280 7ff848f2660d-7ff848f26615 277->280 278->277 280->275 281->282 284 7ff848f26667-7ff848f26673 281->284 283 7ff848f266c8-7ff848f26770 282->283 295 7ff848f267de 283->295 296 7ff848f26772-7ff848f2677c 283->296 285 7ff848f266ac-7ff848f266c4 284->285 286 7ff848f26675-7ff848f26687 284->286 285->283 287 7ff848f26689 286->287 288 7ff848f2668b-7ff848f2669e 286->288 287->288 288->288 290 7ff848f266a0-7ff848f266a8 288->290 290->285 298 7ff848f267e0-7ff848f26809 295->298 296->295 297 7ff848f2677e-7ff848f2678b 296->297 299 7ff848f2678d-7ff848f2679f 297->299 300 7ff848f267c4-7ff848f267dc 297->300 305 7ff848f2680b-7ff848f26816 298->305 306 7ff848f26873 298->306 301 7ff848f267a1 299->301 302 7ff848f267a3-7ff848f267b6 299->302 300->298 301->302 302->302 304 7ff848f267b8-7ff848f267c0 302->304 304->300 305->306 308 7ff848f26818-7ff848f26826 305->308 307 7ff848f26875-7ff848f26906 306->307 316 7ff848f2690c-7ff848f2691b 307->316 309 7ff848f26828-7ff848f2683a 308->309 310 7ff848f2685f-7ff848f26871 308->310 312 7ff848f2683c 309->312 313 7ff848f2683e-7ff848f26851 309->313 310->307 312->313 313->313 314 7ff848f26853-7ff848f2685b 313->314 314->310 317 7ff848f2691d 316->317 318 7ff848f26923-7ff848f26988 call 7ff848f269a4 316->318 317->318 325 7ff848f2698a 318->325 326 7ff848f2698f-7ff848f269a3 318->326 325->326
                    Memory Dump Source
                    • Source File: 00000000.00000002.2962948177.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff848f20000_17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cc0e268cd00ff7ba22120903b5330a7632e92813a7ae7611d8db00cddf9a1e5a
                    • Instruction ID: 6209fc4394b5a449d641f8bcca96bd8243b7886f93ebbb3bb725080bf6670ad6
                    • Opcode Fuzzy Hash: cc0e268cd00ff7ba22120903b5330a7632e92813a7ae7611d8db00cddf9a1e5a
                    • Instruction Fuzzy Hash: A1F1813090CA8D8FEBA8EF28D8557E937E1FF54350F04426EE84DC7291DB3998458B86
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF848F27292 Relevance: .5, Instructions: 458COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 327 7ff848f27292-7ff848f2729f 328 7ff848f272aa-7ff848f27377 327->328 329 7ff848f272a1-7ff848f272a9 327->329 333 7ff848f27379-7ff848f27382 328->333 334 7ff848f273e3 328->334 329->328 333->334 335 7ff848f27384-7ff848f27390 333->335 336 7ff848f273e5-7ff848f2740a 334->336 337 7ff848f273c9-7ff848f273e1 335->337 338 7ff848f27392-7ff848f273a4 335->338 342 7ff848f2740c-7ff848f27415 336->342 343 7ff848f27476 336->343 337->336 339 7ff848f273a8-7ff848f273bb 338->339 340 7ff848f273a6 338->340 339->339 344 7ff848f273bd-7ff848f273c5 339->344 340->339 342->343 345 7ff848f27417-7ff848f27423 342->345 346 7ff848f27478-7ff848f2749d 343->346 344->337 347 7ff848f2745c-7ff848f27474 345->347 348 7ff848f27425-7ff848f27437 345->348 353 7ff848f2750b 346->353 354 7ff848f2749f-7ff848f274a9 346->354 347->346 349 7ff848f27439 348->349 350 7ff848f2743b-7ff848f2744e 348->350 349->350 350->350 352 7ff848f27450-7ff848f27458 350->352 352->347 355 7ff848f2750d-7ff848f2753b 353->355 354->353 356 7ff848f274ab-7ff848f274b8 354->356 363 7ff848f275ab 355->363 364 7ff848f2753d-7ff848f27548 355->364 357 7ff848f274ba-7ff848f274cc 356->357 358 7ff848f274f1-7ff848f27509 356->358 360 7ff848f274ce 357->360 361 7ff848f274d0-7ff848f274e3 357->361 358->355 360->361 361->361 362 7ff848f274e5-7ff848f274ed 361->362 362->358 366 7ff848f275ad-7ff848f27685 363->366 364->363 365 7ff848f2754a-7ff848f27558 364->365 367 7ff848f2755a-7ff848f2756c 365->367 368 7ff848f27591-7ff848f275a9 365->368 376 7ff848f2768b-7ff848f2769a 366->376 370 7ff848f2756e 367->370 371 7ff848f27570-7ff848f27583 367->371 368->366 370->371 371->371 373 7ff848f27585-7ff848f2758d 371->373 373->368 377 7ff848f2769c 376->377 378 7ff848f276a2-7ff848f27704 call 7ff848f27720 376->378 377->378 385 7ff848f2770b-7ff848f2771f 378->385 386 7ff848f27706 378->386 386->385
                    Memory Dump Source
                    • Source File: 00000000.00000002.2962948177.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff848f20000_17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c2524d73a87ab4e913d8382027ac55ad0fcce808d10341accd6150a45a28f7a
                    • Instruction ID: 831b6ab5104c75c3dcdc8cf989675a3878268268c17584f92164080de6d87b9e
                    • Opcode Fuzzy Hash: 4c2524d73a87ab4e913d8382027ac55ad0fcce808d10341accd6150a45a28f7a
                    • Instruction Fuzzy Hash: 59E1A23090CA4D8FEBA8EF28D8567E977D1EF54350F14426ED84DC7291DF79A8408B82
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF848F22608 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2962948177.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff848f20000_17138520674595629f036092083cd6f67bdbe7369638076e0b4435be55ac10762b26f7.jbxd
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 5663be4f051b900296de49612e4a956c532b6edbc3549567193b4d910f284455
                    • Instruction ID: aadfb1923dc86fe463e257c432e39dce905d491d4b03862601144a581449d2c9
                    • Opcode Fuzzy Hash: 5663be4f051b900296de49612e4a956c532b6edbc3549567193b4d910f284455
                    • Instruction Fuzzy Hash: 5C41F63190CA5C5FDB18EF68984A6F9BBE1EB59321F00027ED009D3292DF75A852C7C5
                    Uniqueness

                    Uniqueness Score: -1.00%