Source: fg}.exe, type: SAMPLE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.0.fg}.exe.4d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000000.1314086519.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: fg}.exe, type: SAMPLE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.0.fg}.exe.4d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000000.1314086519.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: fg}.exe, lZz16auSsASjwTFg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: fg}.exe, EUpXc4FBNK70VCAV.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: fg}.exe, EUpXc4FBNK70VCAV.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: XClient.exe.0.dr, lZz16auSsASjwTFg.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: XClient.exe.0.dr, EUpXc4FBNK70VCAV.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: XClient.exe.0.dr, EUpXc4FBNK70VCAV.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: fg}.exe, kKP4mhaiB40j0WJyk55Hty3KpaIHMj.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: fg}.exe, kKP4mhaiB40j0WJyk55Hty3KpaIHMj.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: XClient.exe.0.dr, kKP4mhaiB40j0WJyk55Hty3KpaIHMj.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: XClient.exe.0.dr, kKP4mhaiB40j0WJyk55Hty3KpaIHMj.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: linkinfo.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: ntshrui.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: cscapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.nMEbUPDap95wy0tD8G3QrrJloRUwbW84rut2Z5z3ntZYcf1j1UMIUHirThSVoS9JyTnhWAyKXE4O0NVGGnNPFC81,_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.Tbb8DvPKSl0W6nuy6DAnsFvy2sLkkWnuAhU8hRKAwLQFJAVPrLUpiakqKYDJMWpPeYOe8q5rkq3dI1uYF8pbazrj,_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.TNy0J82033vcFgs2bxsQ6OvPaPewgKOXcB89qXImEPx2ablhRct5aydB7QOcOYni1cf5bd4rcEo635tlKHC80aKI,_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG._7L9qZtgXJHqGXmKaVPAfJ0VrtBZYNCmIsa5T6sNfSGMXLn1CJ65HSPz5bgd4ba6oFgpQxPsZHjbfKSbnLaMxSRkf,EUpXc4FBNK70VCAV.SsM4HaS3mxdXVuvi()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fsmI8eEC06QTzO0u[2],EUpXc4FBNK70VCAV.S52Z16hS3e7QaWtV(Convert.FromBase64String(fsmI8eEC06QTzO0u[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { fsmI8eEC06QTzO0u[2] }}, (string[])null, (Type[])null, (bool[])null, true) |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.nMEbUPDap95wy0tD8G3QrrJloRUwbW84rut2Z5z3ntZYcf1j1UMIUHirThSVoS9JyTnhWAyKXE4O0NVGGnNPFC81,_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.Tbb8DvPKSl0W6nuy6DAnsFvy2sLkkWnuAhU8hRKAwLQFJAVPrLUpiakqKYDJMWpPeYOe8q5rkq3dI1uYF8pbazrj,_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.TNy0J82033vcFgs2bxsQ6OvPaPewgKOXcB89qXImEPx2ablhRct5aydB7QOcOYni1cf5bd4rcEo635tlKHC80aKI,_22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG._7L9qZtgXJHqGXmKaVPAfJ0VrtBZYNCmIsa5T6sNfSGMXLn1CJ65HSPz5bgd4ba6oFgpQxPsZHjbfKSbnLaMxSRkf,EUpXc4FBNK70VCAV.SsM4HaS3mxdXVuvi()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fsmI8eEC06QTzO0u[2],EUpXc4FBNK70VCAV.S52Z16hS3e7QaWtV(Convert.FromBase64String(fsmI8eEC06QTzO0u[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { fsmI8eEC06QTzO0u[2] }}, (string[])null, (Type[])null, (bool[])null, true) |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: TMxdjZlV6A3c8E5kT4gZnzVnxlsBqT System.AppDomain.Load(byte[]) |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: qRlclbJIAjME5rxC System.AppDomain.Load(byte[]) |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: qRlclbJIAjME5rxC |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: TMxdjZlV6A3c8E5kT4gZnzVnxlsBqT System.AppDomain.Load(byte[]) |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: qRlclbJIAjME5rxC System.AppDomain.Load(byte[]) |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
.Net Code: qRlclbJIAjME5rxC |
Source: fg}.exe, 22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.cs |
High entropy of concatenated method names: 'VYpVGDWSAOe6hGubN8jike3gxLeeu9LaQ2G23XigKCwNlihEE5Pod', 'WP7Qw82qutWFuS8E8YGsgUNMTf3osQADq31co6NAMQXo9yES2aSEK', 'oUCjC2uqO8QBu8RgZ9GbVqBSBRq6jbvPUkgExeCuWur5XGHinnLMP', 'eUZQ1nMBI9TF4iYb4io4oBk5wQl9q6035SBXG0r6p9UdbwEnCJS0o' |
Source: fg}.exe, rd1bhuRAKvlsbm7m.cs |
High entropy of concatenated method names: 'QHS5U8dWqQD1x6V1', 'BFdz5pWi7ZenaEOA', 'Ol7nGZfDr3hMk5GK', 'lQ1cm8pMTiy5z', 'HiIorPCy5FL62', 'VybHHEQcEZJsz', 'dgV45OfYJJnKP', 'KDg2LphpdE4TK', 'SRAjggBKdY4AL', 'ix66QvrGJk8d7' |
Source: fg}.exe, q8dlgS785uD2Q.cs |
High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'LLz4pj5zt0DtvvHmrAEXneSjfX9ZcnfPyxsXQGy92PQbaaaOPjDJ4', 'NaJAOowLOndXiuv7fCH0dAmV5Kr9t13lf4aed4zwaFSWR8Js571ko', 'PbTsjYGRyzhNDPUJi20QKBQidM3whPOK8gpmSG10hkVdtWLVxwx2X', 'N2QOjYZ80Yi7RcpPrf5MsXbsVQfvFz6vw3Lm642zfDgtPK7clyEJa' |
Source: fg}.exe, kKP4mhaiB40j0WJyk55Hty3KpaIHMj.cs |
High entropy of concatenated method names: '_2XlQ068DxNno4SwIVnNSkTcVUA8S1z', 'i06Rc2x8K5e7hAymiZXwlzwTbB5Rw6', 'Ah4JehHa6fY7Ef3fmBSyIa4kt6Hjox', 'gDN1k4XJTMrxAEh6mHEnvrzbG27iXl', 'cbpzoL2Bdn1YU8aoYgU41mBaLRpTYq', '_8BsSIIX8BDBnDHyIMnfUwykWXhEIE3', 'ODhWklo0CnUCA1VevT0gqEgnJ9xyI3', 'K9eKXo6NvVNvKchMbsN9MfmfkbTp8e', '_2yQr8kL4iBf09TcCv6uJ5BME9RXli9', 'uNBBahDpjUAuFo1wNhqUA5utpp2cgu' |
Source: fg}.exe, EtrArFBKiAHGxPz1.cs |
High entropy of concatenated method names: 'T74c1AnWCbiA2t8y', 'e6LhvvnOVI08rRm2R6rQaBvcmLuN5aQHVzuvwtFhKCOqxE8mbNEHnQvMzFkhchjIYgmHgA', '_8IOWKuWVIdaeVy8cHx5XBqXDqG3Pxmu1fL1bzfRLEeHJtmSIx7Iufvl7WEzq7v0aZ2JvEe', 'XW8ZVmGVYtkundDKXYfQiuJpL2pKBFPaIl16ShOR16qTWf56giqByxh05poIuAU2xQCFQZ', 'eOd2yR200fg6GMEk6TKlEHMDTCqF1sWJUlTQlAplOeMg6OgETkfreYRQssoXRVKPGUblAB' |
Source: fg}.exe, x796DvNGKZNtNfCKciEBF83GKKh7zn.cs |
High entropy of concatenated method names: 'idMhS0aU0oZm8dxRmk716XdTaharWk', 'MPu2dk1y77ncRTW7uOY8mlhtLgfXEF', 'ePSSaXXpBSdoEsH48Kp98e7ZOsLYrF', 'fYQFKaUa2elnCn0DqQ8MG2f6MJj7cMlj7s39GdUj3oejp0fbIhg91', 'CLVuuLz4UzcL1wWuSLnPpp86JUKJuEWC1gzYIG0UPGyF7cAbfqeJS', '_54vDnPhVZt7koS9G8bej34GF1cik23nsGkLsip1XKc9bG9tN1H3Ux', 'gvwPtL0RThGdmtZeKa1dJf79CvwshY8j7RDkIssAslQPkb0IplOoD', '_44T6FtJfoG73LwCe0unSh5N5SOmDCpBSYc5lJidnqFIXqpZYeCY8g', 'ZJowQS3dvs4UbQ1lhvJL0mPkujtVT5yzVpWoHbcYTbgYeFx8l7vhX', 'gzil4pkwp89xZAjCFqyY8tkg2quv32HxuXYPtX23rCzo1guzfeutm' |
Source: fg}.exe, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
High entropy of concatenated method names: 'inPzDvTlMzfqmc1UMQNl6jAOyEaMei', 'TMxdjZlV6A3c8E5kT4gZnzVnxlsBqT', 'IQ9SMEqbs4i3FxF8dqH2UpgUzISH8P', 'dWGDDgPuqQLvumdThjlHpYkXDrkWGQ', '_7ciVgin3ST1tcwkNTB7pTiy4eiu6xk', 'MbswDvNMxpjI61S2QF1cDNPlZu8EtD', 'FjIGET6Nlffcqs5OgLL1EBQLmaLYiG', 'M8pXWdo4tK8pdYuZ8QYnfDBOonuYl4', 'RLnC87NJn4huG750OBOI06RO0vRjX0', '_16XJrehhRxGdaili' |
Source: fg}.exe, xt1OJQtnZDKHEPNK.cs |
High entropy of concatenated method names: '_7lZNRGwroJ4qslNC', 'zcK9B8WPi5nPvQL3', '_7yWUk31HZEqy56io', 'MB3kJjh8n6S8wjyc', '_9Q5gfsYcbP6BSizV7g0BGxdEE0zY5vijNEACLwOtYoarPARYvcpWoMXd17jfJUe7Da3akb', '_56QDWxbLIHhceei8K67lvggY5d23L7lTPPBRrf9yJ7th8hKsXp7g4qm4HrAEFwYteBkW1b', 'm03NTAK0haWqjUELKBRADocsdzBum1kfiaQDSTHJdQlRaQZCM90X330I42gw5RMONHGRd2', 'isNGB5rBZoQRX2PiRk9Md2PqGjeq1bIB6qg2Ed4sF1TyuHUqtwftjrf0vyAlDJPiKNxi31', 'jsmm7Evxbheax', 'dcHMiJUOfGv3K' |
Source: fg}.exe, EUpXc4FBNK70VCAV.cs |
High entropy of concatenated method names: '_5B1lb0INkn036PCS', '_5cHJEKe5KOFKsz15', 'FEbiqXrMgsxi3ecw', '_9HrIZrbMbBTI38Ea', 'CsZgJhYiBtfsNUlB', '_5thQRYKEXPu8nJJk', 's2n2QkhjGyAe3OpO', 'NWRuaUOogKQrFFFo', '_3MS2hGmnaHyZy12H', 'wv4ixeNFMThEenLL' |
Source: XClient.exe.0.dr, 22JSrHb70IyjmjkQwaFdAAQ8umAk3gzviAF3bg60F4GSApoWpWa9Cd2EZIfuPyujxRaseQmqA00G2uDGPMD4GruG.cs |
High entropy of concatenated method names: 'VYpVGDWSAOe6hGubN8jike3gxLeeu9LaQ2G23XigKCwNlihEE5Pod', 'WP7Qw82qutWFuS8E8YGsgUNMTf3osQADq31co6NAMQXo9yES2aSEK', 'oUCjC2uqO8QBu8RgZ9GbVqBSBRq6jbvPUkgExeCuWur5XGHinnLMP', 'eUZQ1nMBI9TF4iYb4io4oBk5wQl9q6035SBXG0r6p9UdbwEnCJS0o' |
Source: XClient.exe.0.dr, rd1bhuRAKvlsbm7m.cs |
High entropy of concatenated method names: 'QHS5U8dWqQD1x6V1', 'BFdz5pWi7ZenaEOA', 'Ol7nGZfDr3hMk5GK', 'lQ1cm8pMTiy5z', 'HiIorPCy5FL62', 'VybHHEQcEZJsz', 'dgV45OfYJJnKP', 'KDg2LphpdE4TK', 'SRAjggBKdY4AL', 'ix66QvrGJk8d7' |
Source: XClient.exe.0.dr, q8dlgS785uD2Q.cs |
High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'LLz4pj5zt0DtvvHmrAEXneSjfX9ZcnfPyxsXQGy92PQbaaaOPjDJ4', 'NaJAOowLOndXiuv7fCH0dAmV5Kr9t13lf4aed4zwaFSWR8Js571ko', 'PbTsjYGRyzhNDPUJi20QKBQidM3whPOK8gpmSG10hkVdtWLVxwx2X', 'N2QOjYZ80Yi7RcpPrf5MsXbsVQfvFz6vw3Lm642zfDgtPK7clyEJa' |
Source: XClient.exe.0.dr, kKP4mhaiB40j0WJyk55Hty3KpaIHMj.cs |
High entropy of concatenated method names: '_2XlQ068DxNno4SwIVnNSkTcVUA8S1z', 'i06Rc2x8K5e7hAymiZXwlzwTbB5Rw6', 'Ah4JehHa6fY7Ef3fmBSyIa4kt6Hjox', 'gDN1k4XJTMrxAEh6mHEnvrzbG27iXl', 'cbpzoL2Bdn1YU8aoYgU41mBaLRpTYq', '_8BsSIIX8BDBnDHyIMnfUwykWXhEIE3', 'ODhWklo0CnUCA1VevT0gqEgnJ9xyI3', 'K9eKXo6NvVNvKchMbsN9MfmfkbTp8e', '_2yQr8kL4iBf09TcCv6uJ5BME9RXli9', 'uNBBahDpjUAuFo1wNhqUA5utpp2cgu' |
Source: XClient.exe.0.dr, EtrArFBKiAHGxPz1.cs |
High entropy of concatenated method names: 'T74c1AnWCbiA2t8y', 'e6LhvvnOVI08rRm2R6rQaBvcmLuN5aQHVzuvwtFhKCOqxE8mbNEHnQvMzFkhchjIYgmHgA', '_8IOWKuWVIdaeVy8cHx5XBqXDqG3Pxmu1fL1bzfRLEeHJtmSIx7Iufvl7WEzq7v0aZ2JvEe', 'XW8ZVmGVYtkundDKXYfQiuJpL2pKBFPaIl16ShOR16qTWf56giqByxh05poIuAU2xQCFQZ', 'eOd2yR200fg6GMEk6TKlEHMDTCqF1sWJUlTQlAplOeMg6OgETkfreYRQssoXRVKPGUblAB' |
Source: XClient.exe.0.dr, x796DvNGKZNtNfCKciEBF83GKKh7zn.cs |
High entropy of concatenated method names: 'idMhS0aU0oZm8dxRmk716XdTaharWk', 'MPu2dk1y77ncRTW7uOY8mlhtLgfXEF', 'ePSSaXXpBSdoEsH48Kp98e7ZOsLYrF', 'fYQFKaUa2elnCn0DqQ8MG2f6MJj7cMlj7s39GdUj3oejp0fbIhg91', 'CLVuuLz4UzcL1wWuSLnPpp86JUKJuEWC1gzYIG0UPGyF7cAbfqeJS', '_54vDnPhVZt7koS9G8bej34GF1cik23nsGkLsip1XKc9bG9tN1H3Ux', 'gvwPtL0RThGdmtZeKa1dJf79CvwshY8j7RDkIssAslQPkb0IplOoD', '_44T6FtJfoG73LwCe0unSh5N5SOmDCpBSYc5lJidnqFIXqpZYeCY8g', 'ZJowQS3dvs4UbQ1lhvJL0mPkujtVT5yzVpWoHbcYTbgYeFx8l7vhX', 'gzil4pkwp89xZAjCFqyY8tkg2quv32HxuXYPtX23rCzo1guzfeutm' |
Source: XClient.exe.0.dr, Mh6pKaIqYgtBe5OQhobwC9hwd9Jv8x.cs |
High entropy of concatenated method names: 'inPzDvTlMzfqmc1UMQNl6jAOyEaMei', 'TMxdjZlV6A3c8E5kT4gZnzVnxlsBqT', 'IQ9SMEqbs4i3FxF8dqH2UpgUzISH8P', 'dWGDDgPuqQLvumdThjlHpYkXDrkWGQ', '_7ciVgin3ST1tcwkNTB7pTiy4eiu6xk', 'MbswDvNMxpjI61S2QF1cDNPlZu8EtD', 'FjIGET6Nlffcqs5OgLL1EBQLmaLYiG', 'M8pXWdo4tK8pdYuZ8QYnfDBOonuYl4', 'RLnC87NJn4huG750OBOI06RO0vRjX0', '_16XJrehhRxGdaili' |
Source: XClient.exe.0.dr, xt1OJQtnZDKHEPNK.cs |
High entropy of concatenated method names: '_7lZNRGwroJ4qslNC', 'zcK9B8WPi5nPvQL3', '_7yWUk31HZEqy56io', 'MB3kJjh8n6S8wjyc', '_9Q5gfsYcbP6BSizV7g0BGxdEE0zY5vijNEACLwOtYoarPARYvcpWoMXd17jfJUe7Da3akb', '_56QDWxbLIHhceei8K67lvggY5d23L7lTPPBRrf9yJ7th8hKsXp7g4qm4HrAEFwYteBkW1b', 'm03NTAK0haWqjUELKBRADocsdzBum1kfiaQDSTHJdQlRaQZCM90X330I42gw5RMONHGRd2', 'isNGB5rBZoQRX2PiRk9Md2PqGjeq1bIB6qg2Ed4sF1TyuHUqtwftjrf0vyAlDJPiKNxi31', 'jsmm7Evxbheax', 'dcHMiJUOfGv3K' |
Source: XClient.exe.0.dr, EUpXc4FBNK70VCAV.cs |
High entropy of concatenated method names: '_5B1lb0INkn036PCS', '_5cHJEKe5KOFKsz15', 'FEbiqXrMgsxi3ecw', '_9HrIZrbMbBTI38Ea', 'CsZgJhYiBtfsNUlB', '_5thQRYKEXPu8nJJk', 's2n2QkhjGyAe3OpO', 'NWRuaUOogKQrFFFo', '_3MS2hGmnaHyZy12H', 'wv4ixeNFMThEenLL' |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\fg}.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: fg}.exe, 00000000.00000002.3778806031.000000000303E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0 |
Source: fg}.exe, 00000000.00000002.3778806031.000000000303E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: fg}.exe, 00000000.00000002.3778806031.000000000303E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0 |
Source: fg}.exe, 00000000.00000002.3778806031.000000000303E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@ |
Source: fg}.exe, 00000000.00000002.3778806031.000000000303E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager2 |
Source: Yara match |
File source: fg}.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.fg}.exe.4d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1314086519.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: fg}.exe PID: 7540, type: MEMORYSTR |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED |
Source: Yara match |
File source: fg}.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.fg}.exe.4d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1314086519.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: fg}.exe PID: 7540, type: MEMORYSTR |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED |