Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe

Overview

General Information

Sample name:171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
Analysis ID:1436315
MD5:ec82960a54218c2dd7916f3d75aca8ba
SHA1:1c54360deedb2f89b80e19f56f1bd28034078197
SHA256:327e8072300c6e15a81ff4ed51b55b2beea354f69e3cda6de7205526eece6ffd
Tags:base64-decodedexe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xwormay8450.duckdns.org"], "Port": "8450", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x74f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x758f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x76a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x71a0:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x74f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x758f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x76a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x71a0:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x72f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x738f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x74a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6fa0:$cnc4: POST / HTTP/1.1
        Process Memory Space: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe PID: 5464JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.700000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.700000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x74f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x758f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x76a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x71a0:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, ProcessId: 5464, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.lnk

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["xwormay8450.duckdns.org"], "Port": "8450", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeReversingLabs: Detection: 78%
            Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeVirustotal: Detection: 63%Perma Link
            Multi AV Scanner detection for submitted file
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeReversingLabs: Detection: 78%
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeVirustotal: Detection: 63%Perma Link
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeString decryptor: xwormay8450.duckdns.org
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeString decryptor: 8450
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeString decryptor: <123456789>
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeString decryptor: USB.exe
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: .pdb| source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbttpHandl source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.PDB^XG source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.pdbMZ@ source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Drawing.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb0, Cul source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER7939.tmp.dmp.9.dr
            Source: Binary string: mscorlib.pdbh-| source: WER7939.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Xml.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Xml.pdb` source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B942000.00000004.00000020.00020000.00000000.sdmp, 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B929000.00000004.00000020.00020000.00000000.sdmp, WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B900000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr
            Source: Binary string: indoC:\Windows\mDDorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: mscorlib.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B942000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7939.tmp.dmp.9.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: xwormay8450.duckdns.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: xwormay8450.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.8:49705 -> 12.221.146.138:8450
            Source: Joe Sandbox ViewIP Address: 12.221.146.138 12.221.146.138
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: xwormay8450.duckdns.org
            Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeCode function: 0_2_00007FFB4B300C0E0_2_00007FFB4B300C0E
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5464 -s 1532
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000000.1341651325.000000000070C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexwormay8450.exe4 vs 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeBinary or memory string: OriginalFilenamexwormay8450.exe4 vs 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.drBinary or memory string: OriginalFilenamexwormay8450.exe4 vs 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/8@2/1
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\5SZ3fDyURUpUFMlG
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5464
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeReversingLabs: Detection: 78%
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeVirustotal: Detection: 63%
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile read: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe "C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe"
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5464 -s 1532
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.lnk.0.drLNK file: ..\..\..\..\..\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: .pdb| source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbttpHandl source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.PDB^XG source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.pdbMZ@ source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Drawing.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb0, Cul source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER7939.tmp.dmp.9.dr
            Source: Binary string: mscorlib.pdbh-| source: WER7939.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Xml.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Xml.pdb` source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B942000.00000004.00000020.00020000.00000000.sdmp, 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B929000.00000004.00000020.00020000.00000000.sdmp, WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B900000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr
            Source: Binary string: indoC:\Windows\mDDorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: mscorlib.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B942000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7939.tmp.dmp.9.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2448214379.000000001BCF9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER7939.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER7939.tmp.dmp.9.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeCode function: 0_2_00007FFB4B3000BD pushad ; iretd 0_2_00007FFB4B3000C1
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeJump to dropped file
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.lnkJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.lnkJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMemory allocated: D30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMemory allocated: 1AAF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeWindow / User API: threadDelayed 9722Jump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe TID: 6220Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe TID: 2704Thread sleep count: 236 > 30Jump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe TID: 2704Thread sleep time: -236000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe TID: 2704Thread sleep count: 9722 > 30Jump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe TID: 2704Thread sleep time: -9722000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeThread delayed: delay time: 30000Jump to behavior
            Source: Amcache.hve.9.drBinary or memory string: VMware
            Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
            Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.9.drBinary or memory string: vmci.sys
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2446301146.0000000000C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW">
            Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.9.drBinary or memory string: VMware20,1
            Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, 00000000.00000002.2447995647.000000001B942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dllstem.ServiceModel.Configuration.WebHttpEndpointCollectionElement, System.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe PID: 5464, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe.700000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe PID: 5464, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
            Registry Run Keys / Startup Folder            		1
            Process Injection            		1
            Masquerading            		1
            Input Capture            		121
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		2
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture21
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe79%ReversingLabsByteCode-MSIL.Trojan.XWorm
            171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe64%VirustotalBrowse
            171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe100%AviraTR/Spy.Gen
            171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe79%ReversingLabsByteCode-MSIL.Trojan.XWorm
            C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe64%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            xwormay8450.duckdns.org0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            xwormay8450.duckdns.org
            		12.221.146.138
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              xwormay8450.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://upx.sf.netAmcache.hve.9.drfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                12.221.146.138
                		xwormay8450.duckdns.orgUnited States
                		7018ATT-INTERNET4UStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1436315
                Start date and time:2024-05-04 10:16:02 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 27s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@2/8@2/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 2
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 104.208.16.94
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:16:50API Interceptor1771275x Sleep call for process: 171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe modified
                10:16:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.lnk
                10:18:37API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                12.221.146.138E7236252-receipt.vbsGet hashmaliciousXWormBrowse
                  I7336446-receipt.vbsGet hashmaliciousXWormBrowse
                    S94847456-receipt.vbsGet hashmaliciousXWormBrowse
                      S847453-receipt.vbsGet hashmaliciousXWormBrowse
                        Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                          Tapril-30-receipt.vbsGet hashmaliciousRemcosBrowse
                            171445824977c976fac5440dadfae67b1829817677698fe84127a065ee0d81bdba97dc885f639.dat-decoded.exeGet hashmaliciousRemcosBrowse
                              Hapril-29-receipt.vbsGet hashmaliciousRemcosBrowse
                                Hapril-29-receipt.vbsGet hashmaliciousRemcosBrowse
                                  Hapril-29-receipt.imgGet hashmaliciousXWormBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    xwormay8450.duckdns.orgE7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    I7336446-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    S94847456-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    S847453-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ATT-INTERNET4USE7236252-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    I7336446-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    S94847456-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    S847453-receipt.vbsGet hashmaliciousXWormBrowse
                                    • 12.221.146.138
                                    sora.arm-20240504-0115.elfGet hashmaliciousMiraiBrowse
                                    • 108.218.226.97
                                    sora.x86-20240504-0115.elfGet hashmaliciousMiraiBrowse
                                    • 107.67.131.199
                                    https://monacolife.netGet hashmaliciousUnknownBrowse
                                    • 13.36.27.25
                                    x86.elfGet hashmaliciousUnknownBrowse
                                    • 32.45.187.39
                                    2AAH1UYstb.elfGet hashmaliciousMiraiBrowse
                                    • 99.160.220.147
                                    9d565bee-e6ce-1842-e729-b0df8f08ed34.emlGet hashmaliciousHTMLPhisherBrowse
                                    • 172.183.192.109

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PQVGDF4CMSZRQWDY_504392513fa052336db2ee5882db6d9fc6cd58_7d3b1f41_f7ad1bbd-242b-418e-92ea-b991678e38b9\Report.wer

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.2759515972172204
                                    Encrypted:false
                                    SSDEEP:192:JKNQPuqsjmT081iHhaWz8iygIpl4QMzuiFnZ24lO8K:gmPuq4R81iBa48ig4rzuiFnY4lO8K
                                    MD5:7A1EB95B06761986FF93CD83931A0428
                                    SHA1:3A22CB50599C28F5B07953DD55AF0A66393ECF39
                                    SHA-256:C490FD2A9D5C90299F2789D4CF0194FA4BDEE42B0D2292921E3E7D243045187B
                                    SHA-512:E0FFBB6E10F7F63733647FE70A43D134CC9DEDD2E5FFDF3E121B57C1EC1662C77D3F6333DC1C818C561AFDB89E0CB1EE67EC4C87901F7B72268A92D16FE4FA73
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.2.8.4.3.1.1.4.6.8.0.0.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.2.8.4.3.1.2.0.4.6.1.2.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.a.d.1.b.b.d.-.2.4.2.b.-.4.1.8.e.-.9.2.e.a.-.b.9.9.1.6.7.8.e.3.8.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.8.8.a.0.1.6.-.5.7.4.0.-.4.3.1.1.-.9.c.8.0.-.5.d.0.a.b.a.3.2.e.7.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.1.7.1.4.8.0.9.6.7.9.1.8.5.5.9.e.e.0.f.0.9.3.5.6.f.7.1.8.f.f.0.d.f.e.6.6.8.2.2.0.d.8.c.c.7.8.4.7.9.c.f.f.3.3.7.0.2.2.e.4.3.7.f.8.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.x.w.o.r.m.a.y.8.4.5.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.5.8.-.0.0.0.1.-.0.0.1.4.-.8.b.e.6.-.4.1.6.a.f.b.9.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.5.8.6.5.b.b.6.b.a.0.4.f.2.6.7.8.4.7.8.b.0.3.c.b.3.9.3.9.4.8.0.0.0.0.0.0.0.0.!.0.0.0.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7939.tmp.dmp

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:Mini DuMP crash report, 16 streams, Sat May 4 08:18:31 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):440709
                                    Entropy (8bit):3.478294209056468
                                    Encrypted:false
                                    SSDEEP:3072:9PYys2cSmj4X81CCqbF8Oc3+veK7q7HRue8hIIkGYUgxlPo4YwznZ/NiMn:dvs+m0CqKj3QeK7qdCWuYUgxlQwZ/N7
                                    MD5:B51BF627EFC78B02CBAED72BDE5EAB34
                                    SHA1:AF6DC6F250264CC5883828A5C98F7CF721C8F4D0
                                    SHA-256:8B6497854003C4E2286A66468BB2129BD3BA65524258A91C5EC26CF070D8AC03
                                    SHA-512:E62F55EEC222389ACE77798786BB0F6F7584E17807457233D5DD6AF03FC8BCA0B0AA4779377F840DE862B41CE4C77D1C68E94AB3552912B02C50F02153ED9E98
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... .......W.5f........................ ...4.......$...T&......L...x&.......;..,t..........l.......8...........T............;...}.......................0..............................................................................eJ......H1......Lw......................T.......X.....5f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AD1.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):9104
                                    Entropy (8bit):3.7151886079983543
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJ6jE74V6YSoY5oWngmfZB5a83CprC89bcPNfaUm:R6lXJ8E7i6Y9Y5o+gmf/Adc1f4
                                    MD5:6493CFF80A50DF1FA81D5D89B22A1CBD
                                    SHA1:FEE03A564B4F1B2844F0B6DCD3D04C149D9AB13D
                                    SHA-256:BFFA4442CD55D5C440D58D6738B2F6D347C33F6BA23F2E241BAC7188B6F2337A
                                    SHA-512:DD34E6F6EE19F559FBC235A0C7D28431D1DAA600943192F83B258163303133F551889A57552524B10DB775D5179116D529F44C0F00972A3DB18FE6DA5C1D1DF2
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.6.4.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AF1.tmp.xml

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):5036
                                    Entropy (8bit):4.5998511433588565
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zs/Jg771I9t6WpW8VYYYm8M4JjWNGF5WlAPyq8vPWNubybFfSnSJd:uIjfhI7W77VcJj/rWP7mbYSJd
                                    MD5:1DDCD5BDD3BBCFBEA0EF575DDFC91474
                                    SHA1:941E3B1A2194716924A488F7857099EB3BDFC022
                                    SHA-256:87BA062B702669237BC96B58BF39B84E1C3E059B41A0DC4390230DF6C3D7BF81
                                    SHA-512:B9ED7C6CDC5A7965CF9050A436F6DC7BC72829EC6AE4F4BC8F48E4C6355D92C971806227914AA6948420CF53AB5663F3F515D7F31AD06765160321921113BCF5
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="308121" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):29
                                    Entropy (8bit):3.598349098128234
                                    Encrypted:false
                                    SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                    MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                    SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                    SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                    SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:....### explorer ###..[WIN]r

                                    C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):35840
                                    Entropy (8bit):5.571232853299697
                                    Encrypted:false
                                    SSDEEP:384:ovg9j00WbqxAMTayV5N+5maFZZL3C8pJm3/KNm0ns0VgtFMAmNLToZw/RZCvK9Ij:XB4QBTOl3Cx3CNUVFQ92exOMhBuvl3
                                    MD5:EC82960A54218C2DD7916F3D75ACA8BA
                                    SHA1:1C54360DEEDB2F89B80E19F56F1BD28034078197
                                    SHA-256:327E8072300C6E15A81FF4ED51B55B2BEEA354F69E3CDA6DE7205526EECE6FFD
                                    SHA-512:7279F25A1EA1985D1903F445BC37491CA66BFBCC92EE2E3E7D9F64763D74DAC838CEB190ADAE2028427D6814DBD47D477CDF77BD0A13C1D5B1C3EF35AEA96F0D
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 79%
                                    • Antivirus: Virustotal, Detection: 64%, Browse
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3f............................~.... ........@.. ....................................@.................................(...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........R.. N............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.lnk

                                    Download File
                                    Process:C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat May 4 07:16:53 2024, mtime=Sat May 4 07:16:53 2024, atime=Sat May 4 07:16:53 2024, length=35840, window=hide
                                    Category:dropped
                                    Size (bytes):1177
                                    Entropy (8bit):4.865686576155288
                                    Encrypted:false
                                    SSDEEP:12:8jBYYAOi1417ckCh5PeY//95JELDnJlpYjRFYtSWc9FG1jAclsHiqFpr9K/QRFYS:8j7v4P13kDJUFV4A9JKMFVCXBm
                                    MD5:1FE5C3C9467C5CE8E26AA3B32F941F50
                                    SHA1:C5B7AF500A691FD8EDF594972A2C6AD897475D8C
                                    SHA-256:1CB971861D43046FB697F029EC68AB3B4A6B2EB9A19FE22BA3F13FF618B148AC
                                    SHA-512:83DFA52237119F990726384E37D0678104F8F0434C1C79B970AA11ED77D8170CE06E4A4E1DC08DC4B15E462F735D73CC52F4B5927FE0AD3A2223A72616875EA8
                                    Malicious:false
                                    Reputation:low
                                    Preview:L..................F.... ....r.k.....r.k.....r.k..............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....SBf.....^.l........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.X.B..........................d...A.p.p.D.a.t.a...B.V.1......X.B..Roaming.@......EW)B.X.B...........................%..R.o.a.m.i.n.g.......2......X.B .171480~1.EXE.........X.B.X.B....D.......................T.1.7.1.4.8.0.9.6.7.9.1.8.5.5.9.e.e.0.f.0.9.3.5.6.f.7.1.8.f.f.0.d.f.e.6.6.8.2.2.0.d.8.c.c.7.8.4.7.9.c.f.f.3.3.7.0.2.2.e.4.3.7.f.8.7.1.d.c.7.d.1.b.0.b.1.4.8...d.a.t.-.d.e.c.o.d.e.d...e.x.e.......................-...................{V.......C:\Users\user\AppData\Roaming\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe..l.....\.....\.....\.....\.....\.1.7.1.4.8.0.9.6.7.9.1.8.5.5.9.e.e.0.f.0.9.3.5.6.f.7.1.8.f.f.0.d.f.e.6.6.8.2.2.0.d.8.c.c.7.8.4.7.9.c.f.f.3.3.7.0.2.2.e.4.3.7.f.8.7.1.d.c.7.d.1.b.0.b.1.4.8...d.a.t.-.d.e.c.o.d.e.d.

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\System32\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.372802091561115
                                    Encrypted:false
                                    SSDEEP:6144:GFVfpi6ceLP/9skLmb0ZyWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:GV1PyWWI/glMM6kF7vq
                                    MD5:612125F8CD654A728414E8B7A6368149
                                    SHA1:10A02E54153C49E346A2BBDADDB34D9951D00B24
                                    SHA-256:39052200F24CC52D0354E20793147DA7C219281EAF070D3E70A140F11C8A378D
                                    SHA-512:D9C01A62088BB254FB7726B6B32FA51361D3E593E892DC2AD079A12525FDF2D05CA2C2F51E078329DA18E3907CA293ED37FBD71C5AC0238EF13A6BD2D771738A
                                    Malicious:false
                                    Reputation:low
                                    Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN$S...................................................................................................................................................................................................................................................................................................................................................E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):5.571232853299697
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
                                    File size:35'840 bytes
                                    MD5:ec82960a54218c2dd7916f3d75aca8ba
                                    SHA1:1c54360deedb2f89b80e19f56f1bd28034078197
                                    SHA256:327e8072300c6e15a81ff4ed51b55b2beea354f69e3cda6de7205526eece6ffd
                                    SHA512:7279f25a1ea1985d1903f445bc37491ca66bfbcc92ee2e3e7d9f64763d74dac838ceb190adae2028427d6814dbd47d477cdf77bd0a13c1d5b1c3ef35aea96f0d
                                    SSDEEP:384:ovg9j00WbqxAMTayV5N+5maFZZL3C8pJm3/KNm0ns0VgtFMAmNLToZw/RZCvK9Ij:XB4QBTOl3Cx3CNUVFQ92exOMhBuvl3
                                    TLSH:CFF25C083BE4831DC5FF2BFA69B3E6410275E5038A13EB4E1DC845AA6B33B8189457D7
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3f............................~.... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x40a07e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6633AD85 [Thu May 2 15:13:09 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa0280x53.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4e8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x80840x82000eb205c85a83de22f2f37033cc39459eFalse0.49732572115384616data5.708369257549561IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xc0000x4e80x6003455bbff4ec4e52cf44cdf0ac22f6660False0.3795572916666667data3.763710636203873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe0000xc0x2002259341f6aabdfee754623683538aba0False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xc0a00x254data0.4714765100671141
                                    RT_MANIFEST0xc2f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 4, 2024 10:16:55.172271013 CEST497058450192.168.2.812.221.146.138
                                    May 4, 2024 10:16:55.517695904 CEST84504970512.221.146.138192.168.2.8
                                    May 4, 2024 10:16:56.026531935 CEST497058450192.168.2.812.221.146.138
                                    May 4, 2024 10:16:56.371910095 CEST84504970512.221.146.138192.168.2.8
                                    May 4, 2024 10:16:56.885946989 CEST497058450192.168.2.812.221.146.138
                                    May 4, 2024 10:16:57.232096910 CEST84504970512.221.146.138192.168.2.8
                                    May 4, 2024 10:16:57.745291948 CEST497058450192.168.2.812.221.146.138
                                    May 4, 2024 10:16:58.090677977 CEST84504970512.221.146.138192.168.2.8
                                    May 4, 2024 10:16:58.604691029 CEST497058450192.168.2.812.221.146.138
                                    May 4, 2024 10:16:58.950141907 CEST84504970512.221.146.138192.168.2.8
                                    May 4, 2024 10:16:59.233491898 CEST497068450192.168.2.812.221.146.138
                                    May 4, 2024 10:16:59.580378056 CEST84504970612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:00.088990927 CEST497068450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:00.435496092 CEST84504970612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:00.948546886 CEST497068450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:01.295618057 CEST84504970612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:01.807765007 CEST497068450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:02.154263973 CEST84504970612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:02.667136908 CEST497068450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:03.015364885 CEST84504970612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:03.182387114 CEST497078450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:03.527949095 CEST84504970712.221.146.138192.168.2.8
                                    May 4, 2024 10:17:04.042359114 CEST497078450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:04.389138937 CEST84504970712.221.146.138192.168.2.8
                                    May 4, 2024 10:17:04.901691914 CEST497078450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:05.247395039 CEST84504970712.221.146.138192.168.2.8
                                    May 4, 2024 10:17:05.776659966 CEST497078450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:06.122905016 CEST84504970712.221.146.138192.168.2.8
                                    May 4, 2024 10:17:06.635945082 CEST497078450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:06.984107971 CEST84504970712.221.146.138192.168.2.8
                                    May 4, 2024 10:17:09.252177000 CEST497088450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:09.599261045 CEST84504970812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:10.229759932 CEST497088450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:10.575042009 CEST84504970812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:11.120434046 CEST497088450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:11.465892076 CEST84504970812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:12.120398045 CEST497088450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:12.466818094 CEST84504970812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:12.979749918 CEST497088450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:13.362222910 CEST84504970812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:17.981636047 CEST497118450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:18.327887058 CEST84504971112.221.146.138192.168.2.8
                                    May 4, 2024 10:17:18.839055061 CEST497118450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:19.185214043 CEST84504971112.221.146.138192.168.2.8
                                    May 4, 2024 10:17:19.698503971 CEST497118450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:20.046765089 CEST84504971112.221.146.138192.168.2.8
                                    May 4, 2024 10:17:20.557785034 CEST497118450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:20.904011011 CEST84504971112.221.146.138192.168.2.8
                                    May 4, 2024 10:17:21.417175055 CEST497118450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:21.763475895 CEST84504971112.221.146.138192.168.2.8
                                    May 4, 2024 10:17:21.872685909 CEST497128450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:22.219624043 CEST84504971212.221.146.138192.168.2.8
                                    May 4, 2024 10:17:22.729681969 CEST497128450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:23.076064110 CEST84504971212.221.146.138192.168.2.8
                                    May 4, 2024 10:17:23.589061975 CEST497128450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:23.935404062 CEST84504971212.221.146.138192.168.2.8
                                    May 4, 2024 10:17:24.448550940 CEST497128450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:24.794926882 CEST84504971212.221.146.138192.168.2.8
                                    May 4, 2024 10:17:25.307809114 CEST497128450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:25.654438019 CEST84504971212.221.146.138192.168.2.8
                                    May 4, 2024 10:17:26.481142044 CEST497138450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:26.826982975 CEST84504971312.221.146.138192.168.2.8
                                    May 4, 2024 10:17:27.339193106 CEST497138450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:27.684806108 CEST84504971312.221.146.138192.168.2.8
                                    May 4, 2024 10:17:28.198429108 CEST497138450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:28.545384884 CEST84504971312.221.146.138192.168.2.8
                                    May 4, 2024 10:17:29.057833910 CEST497138450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:29.403819084 CEST84504971312.221.146.138192.168.2.8
                                    May 4, 2024 10:17:29.917171955 CEST497138450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:30.262835026 CEST84504971312.221.146.138192.168.2.8
                                    May 4, 2024 10:17:30.372062922 CEST497148450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:30.719079971 CEST84504971412.221.146.138192.168.2.8
                                    May 4, 2024 10:17:31.229878902 CEST497148450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:31.575690985 CEST84504971412.221.146.138192.168.2.8
                                    May 4, 2024 10:17:32.089133978 CEST497148450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:32.434596062 CEST84504971412.221.146.138192.168.2.8
                                    May 4, 2024 10:17:32.948450089 CEST497148450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:33.294022083 CEST84504971412.221.146.138192.168.2.8
                                    May 4, 2024 10:17:33.807940006 CEST497148450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:34.153557062 CEST84504971412.221.146.138192.168.2.8
                                    May 4, 2024 10:17:38.871906042 CEST497158450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:39.217659950 CEST84504971512.221.146.138192.168.2.8
                                    May 4, 2024 10:17:39.729713917 CEST497158450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:40.075285912 CEST84504971512.221.146.138192.168.2.8
                                    May 4, 2024 10:17:40.589143991 CEST497158450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:40.935652018 CEST84504971512.221.146.138192.168.2.8
                                    May 4, 2024 10:17:41.448534012 CEST497158450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:41.795332909 CEST84504971512.221.146.138192.168.2.8
                                    May 4, 2024 10:17:42.307856083 CEST497158450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:42.654884100 CEST84504971512.221.146.138192.168.2.8
                                    May 4, 2024 10:17:42.762693882 CEST497168450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:43.110476971 CEST84504971612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:43.620322943 CEST497168450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:43.968061924 CEST84504971612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:44.479752064 CEST497168450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:44.827797890 CEST84504971612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:45.339164972 CEST497168450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:45.688091993 CEST84504971612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:46.198488951 CEST497168450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:46.545072079 CEST84504971612.221.146.138192.168.2.8
                                    May 4, 2024 10:17:52.301858902 CEST497188450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:52.647919893 CEST84504971812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:53.151575089 CEST497188450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:55.151567936 CEST497188450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:55.497771978 CEST84504971812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:56.011006117 CEST497188450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:56.358088017 CEST84504971812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:56.870390892 CEST497188450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:57.216495037 CEST84504971812.221.146.138192.168.2.8
                                    May 4, 2024 10:17:57.561770916 CEST497198450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:57.914282084 CEST84504971912.221.146.138192.168.2.8
                                    May 4, 2024 10:17:58.417248964 CEST497198450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:58.763340950 CEST84504971912.221.146.138192.168.2.8
                                    May 4, 2024 10:17:59.276575089 CEST497198450192.168.2.812.221.146.138
                                    May 4, 2024 10:17:59.622987032 CEST84504971912.221.146.138192.168.2.8
                                    May 4, 2024 10:18:00.136029959 CEST497198450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:00.482505083 CEST84504971912.221.146.138192.168.2.8
                                    May 4, 2024 10:18:00.995374918 CEST497198450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:01.345268965 CEST84504971912.221.146.138192.168.2.8
                                    May 4, 2024 10:18:01.451009989 CEST497208450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:01.796627045 CEST84504972012.221.146.138192.168.2.8
                                    May 4, 2024 10:18:02.307887077 CEST497208450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:02.653747082 CEST84504972012.221.146.138192.168.2.8
                                    May 4, 2024 10:18:03.167220116 CEST497208450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:03.512602091 CEST84504972012.221.146.138192.168.2.8
                                    May 4, 2024 10:18:04.026590109 CEST497208450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:04.373749018 CEST84504972012.221.146.138192.168.2.8
                                    May 4, 2024 10:18:04.886002064 CEST497208450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:05.231760979 CEST84504972012.221.146.138192.168.2.8
                                    May 4, 2024 10:18:05.341382980 CEST497218450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:05.687207937 CEST84504972112.221.146.138192.168.2.8
                                    May 4, 2024 10:18:06.198530912 CEST497218450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:06.544078112 CEST84504972112.221.146.138192.168.2.8
                                    May 4, 2024 10:18:07.057909966 CEST497218450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:07.403368950 CEST84504972112.221.146.138192.168.2.8
                                    May 4, 2024 10:18:07.917237997 CEST497218450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:08.264280081 CEST84504972112.221.146.138192.168.2.8
                                    May 4, 2024 10:18:08.776598930 CEST497218450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:09.124183893 CEST84504972112.221.146.138192.168.2.8
                                    May 4, 2024 10:18:09.232461929 CEST497228450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:09.578272104 CEST84504972212.221.146.138192.168.2.8
                                    May 4, 2024 10:18:10.089198112 CEST497228450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:10.434695959 CEST84504972212.221.146.138192.168.2.8
                                    May 4, 2024 10:18:10.949347019 CEST497228450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:11.296859980 CEST84504972212.221.146.138192.168.2.8
                                    May 4, 2024 10:18:11.807864904 CEST497228450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:12.153069019 CEST84504972212.221.146.138192.168.2.8
                                    May 4, 2024 10:18:12.668626070 CEST497228450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:13.014173985 CEST84504972212.221.146.138192.168.2.8
                                    May 4, 2024 10:18:14.294512033 CEST497238450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:14.640223026 CEST84504972312.221.146.138192.168.2.8
                                    May 4, 2024 10:18:15.151580095 CEST497238450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:15.498260021 CEST84504972312.221.146.138192.168.2.8
                                    May 4, 2024 10:18:16.073283911 CEST497238450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:16.419773102 CEST84504972312.221.146.138192.168.2.8
                                    May 4, 2024 10:18:16.948529959 CEST497238450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:17.294177055 CEST84504972312.221.146.138192.168.2.8
                                    May 4, 2024 10:18:17.839205980 CEST497238450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:18.184781075 CEST84504972312.221.146.138192.168.2.8
                                    May 4, 2024 10:18:18.800796032 CEST497248450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:19.148572922 CEST84504972412.221.146.138192.168.2.8
                                    May 4, 2024 10:18:19.651599884 CEST497248450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:19.999006033 CEST84504972412.221.146.138192.168.2.8
                                    May 4, 2024 10:18:20.555366039 CEST497248450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:20.903397083 CEST84504972412.221.146.138192.168.2.8
                                    May 4, 2024 10:18:21.542238951 CEST497248450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:21.890528917 CEST84504972412.221.146.138192.168.2.8
                                    May 4, 2024 10:18:22.448487997 CEST497248450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:22.795989990 CEST84504972412.221.146.138192.168.2.8
                                    May 4, 2024 10:18:22.905452013 CEST497258450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:23.253458023 CEST84504972512.221.146.138192.168.2.8
                                    May 4, 2024 10:18:23.762360096 CEST497258450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:24.108581066 CEST84504972512.221.146.138192.168.2.8
                                    May 4, 2024 10:18:24.620362997 CEST497258450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:24.966593027 CEST84504972512.221.146.138192.168.2.8
                                    May 4, 2024 10:18:25.482362032 CEST497258450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:25.828299046 CEST84504972512.221.146.138192.168.2.8
                                    May 4, 2024 10:18:26.339637041 CEST497258450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:26.685410976 CEST84504972512.221.146.138192.168.2.8
                                    May 4, 2024 10:18:26.795540094 CEST497268450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:27.142972946 CEST84504972612.221.146.138192.168.2.8
                                    May 4, 2024 10:18:27.651784897 CEST497268450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:27.999156952 CEST84504972612.221.146.138192.168.2.8
                                    May 4, 2024 10:18:28.510987043 CEST497268450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:28.858927011 CEST84504972612.221.146.138192.168.2.8
                                    May 4, 2024 10:18:29.370383024 CEST497268450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:29.717768908 CEST84504972612.221.146.138192.168.2.8
                                    May 4, 2024 10:18:30.230350018 CEST497268450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:30.584045887 CEST84504972612.221.146.138192.168.2.8
                                    May 4, 2024 10:18:30.701575994 CEST497278450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:31.046818972 CEST84504972712.221.146.138192.168.2.8
                                    May 4, 2024 10:18:31.558360100 CEST497278450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:31.916456938 CEST84504972712.221.146.138192.168.2.8
                                    May 4, 2024 10:18:32.432879925 CEST497278450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:32.779911041 CEST84504972712.221.146.138192.168.2.8
                                    May 4, 2024 10:18:33.292244911 CEST497278450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:33.640590906 CEST84504972712.221.146.138192.168.2.8
                                    May 4, 2024 10:18:34.151660919 CEST497278450192.168.2.812.221.146.138
                                    May 4, 2024 10:18:34.497004986 CEST84504972712.221.146.138192.168.2.8

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 4, 2024 10:16:54.921514988 CEST5188253192.168.2.81.1.1.1
                                    May 4, 2024 10:16:55.157223940 CEST53518821.1.1.1192.168.2.8
                                    May 4, 2024 10:17:57.324939013 CEST5427053192.168.2.81.1.1.1
                                    May 4, 2024 10:17:57.560995102 CEST53542701.1.1.1192.168.2.8

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    May 4, 2024 10:16:54.921514988 CEST192.168.2.81.1.1.10x9e66Standard query (0)xwormay8450.duckdns.orgA (IP address)IN (0x0001)false
                                    May 4, 2024 10:17:57.324939013 CEST192.168.2.81.1.1.10x1a09Standard query (0)xwormay8450.duckdns.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    May 4, 2024 10:16:55.157223940 CEST1.1.1.1192.168.2.80x9e66No error (0)xwormay8450.duckdns.org12.221.146.138A (IP address)IN (0x0001)false
                                    May 4, 2024 10:17:57.560995102 CEST1.1.1.1192.168.2.80x1a09No error (0)xwormay8450.duckdns.org12.221.146.138A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:10:16:50
                                    Start date:04/05/2024
                                    Path:C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d1b0b148.dat-decoded.exe"
                                    Imagebase:0x700000
                                    File size:35'840 bytes
                                    MD5 hash:EC82960A54218C2DD7916F3D75ACA8BA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1341635859.0000000000702000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:10:18:31
                                    Start date:04/05/2024
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 5464 -s 1532
                                    Imagebase:0x7ff78f210000
                                    File size:570'736 bytes
                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:31.3%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 2057 7ffb4b3023e8 2058 7ffb4b3023f1 SetWindowsHookExW 2057->2058 2060 7ffb4b3024c1 2058->2060

                                      Executed Functions

                                      Function 00007FFB4B300C0E Relevance: 3.2, Strings: 2, Instructions: 737COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2448740273.00007FFB4B300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffb4b300000_171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: SAN_^$cAN_^
                                      • API String ID: 0-4141325245
                                      • Opcode ID: 33325fcce8cee3b7fa77301534d6affefd5a91e39f41f059e0c44d2427cbfcd4
                                      • Instruction ID: e7b58d444f444c30feacce38e37c93380eb1657f852b2e5050d208f85cd1bbb4
                                      • Opcode Fuzzy Hash: 33325fcce8cee3b7fa77301534d6affefd5a91e39f41f059e0c44d2427cbfcd4
                                      • Instruction Fuzzy Hash: 102205A1B1DA4A4FEB99FF3CC8552797BD2EF98304F4445B9E44DC3296DD28A8028781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFB4B3023E8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 392 7ffb4b3023e8-7ffb4b3023ef 393 7ffb4b3023fa-7ffb4b30246d 392->393 394 7ffb4b3023f1-7ffb4b3023f9 392->394 398 7ffb4b3024f9-7ffb4b3024fd 393->398 399 7ffb4b302473-7ffb4b302478 393->399 394->393 400 7ffb4b302482-7ffb4b3024bf SetWindowsHookExW 398->400 401 7ffb4b30247f-7ffb4b302480 399->401 402 7ffb4b3024c7-7ffb4b3024f8 400->402 403 7ffb4b3024c1 400->403 401->400 403->402
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2448740273.00007FFB4B300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffb4b300000_171480967918559ee0f09356f718ff0dfe668220d8cc78479cff337022e437f871dc7d.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 4ba6f712996a90bdedfbf65af5885d63650eaacab7ab08bd73906e6bf238cbf6
                                      • Instruction ID: f4f2e0c88eaeaeda882b8459da485eff68af44844f072d5e7a0482106c9835e0
                                      • Opcode Fuzzy Hash: 4ba6f712996a90bdedfbf65af5885d63650eaacab7ab08bd73906e6bf238cbf6
                                      • Instruction Fuzzy Hash: 2841E571A1CA5D8FDB58EF6CD8466F9BBE1EF59321F00427ED009C3292CE64A81287C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%