Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
datXObAAn1.exe

Overview

General Information

Sample name:datXObAAn1.exe
renamed because original name is a hash value
Original sample name:047501531983682c470ca7560077477a.exe
Analysis ID:1569809
MD5:047501531983682c470ca7560077477a
SHA1:99d90e9b66320b9c08e9633607f15743f7d4af7c
SHA256:b3bf1cabe7e98e7120e69d3d5c63cea55dd9345aa9facae7a97a84134eaf1984
Tags:exeuser-abuse_ch
Infos:

Detection

Discord Rat
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • datXObAAn1.exe (PID: 3376 cmdline: "C:\Users\user\Desktop\datXObAAn1.exe" MD5: 047501531983682C470CA7560077477A)
    • WerFault.exe (PID: 1020 cmdline: C:\Windows\system32\WerFault.exe -u -p 3376 -s 2292 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
datXObAAn1.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2088969660.0000015DC4112000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordRatYara detected Discord RatJoe Security
      Process Memory Space: datXObAAn1.exe PID: 3376JoeSecurity_DiscordRatYara detected Discord RatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.datXObAAn1.exe.15dc4110000.0.unpackJoeSecurity_DiscordRatYara detected Discord RatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: datXObAAn1.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: datXObAAn1.exeReversingLabs: Detection: 76%
          Yara detected Discord Rat
          Source: Yara matchFile source: datXObAAn1.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.datXObAAn1.exe.15dc4110000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2088969660.0000015DC4112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: datXObAAn1.exe PID: 3376, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.3% probability
          Machine Learning detection for sample
          Source: datXObAAn1.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 162.159.133.234:443 -> 192.168.2.5:49704 version: TLS 1.2
          Source: datXObAAn1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: 6OindoC:\Windows\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\System.pdbF source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb( source: WER8110.tmp.dmp.4.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbmhA source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.pdbN source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbm source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb" source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbb( source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: datXObAAn1.PDBp source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Web.Extensions.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb<(I source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\datXObAAn1.PDBChc source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb<1 source: WER8110.tmp.dmp.4.dr
          Source: Binary string: C:\Users\user\Desktop\datXObAAn1.PDB source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Core.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8110.tmp.dmp.4.dr
          Source: Binary string: C:\Users\user\Desktop\datXObAAn1.PDB= source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbj source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb) source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.pdb8 source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb> source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 6OpC:\Users\user\Desktop\datXObAAn1.PDBp source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: vSkIBpAWb8swBcYy17y7pg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.133.234 162.159.133.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: vSkIBpAWb8swBcYy17y7pg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:25:30 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9K%2FP6QVMyenNlpBg2RTZ6JUvqrtX5UROQh8w39RQI8RoqbLJk6F9I%2Bb3Y4lkfBQxL0SOAXRVDgEk6U1%2FAXecZrZ1SjnNBQeYkeg%2FM5UVcspl04zxdlz5E%2F1Y5qVTKfCpuUna2A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8edb3aa3487a43c7-EWR
          Source: datXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: datXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
          Source: datXObAAn1.exeString found in binary or memory: http://www.google.com/maps/place/
          Source: datXObAAn1.exeString found in binary or memory: https://discord.com/api/v9/channels/
          Source: datXObAAn1.exeString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: datXObAAn1.exeString found in binary or memory: https://file.io/
          Source: datXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: datXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: datXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: datXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: datXObAAn1.exeString found in binary or memory: https://geolocation-db.com/json
          Source: datXObAAn1.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: datXObAAn1.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: datXObAAn1.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: datXObAAn1.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: datXObAAn1.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownHTTPS traffic detected: 162.159.133.234:443 -> 192.168.2.5:49704 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: datXObAAn1.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.datXObAAn1.exe.15dc4110000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2088969660.0000015DC4112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: datXObAAn1.exe PID: 3376, type: MEMORYSTR
          Source: C:\Users\user\Desktop\datXObAAn1.exeCode function: 0_2_00007FF848F113FB0_2_00007FF848F113FB
          Source: C:\Users\user\Desktop\datXObAAn1.exeCode function: 0_2_00007FF848F112D10_2_00007FF848F112D1
          Source: C:\Users\user\Desktop\datXObAAn1.exeCode function: 0_2_00007FF848F112E00_2_00007FF848F112E0
          Source: C:\Users\user\Desktop\datXObAAn1.exeCode function: 0_2_00007FF848F113D30_2_00007FF848F113D3
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3376 -s 2292
          Source: datXObAAn1.exeStatic PE information: No import functions for PE file found
          Source: datXObAAn1.exe, 00000000.00000000.2088969660.0000015DC4126000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs datXObAAn1.exe
          Source: datXObAAn1.exeBinary or memory string: OriginalFilenameDiscord rat.exe8 vs datXObAAn1.exe
          Source: classification engineClassification label: mal80.troj.evad.winEXE@2/5@1/1
          Source: C:\Users\user\Desktop\datXObAAn1.exeMutant created: NULL
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3376
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\afa87438-5cdf-45fa-a361-9720592730f6Jump to behavior
          Source: datXObAAn1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: datXObAAn1.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\datXObAAn1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: datXObAAn1.exeReversingLabs: Detection: 76%
          Source: C:\Users\user\Desktop\datXObAAn1.exeFile read: C:\Users\user\Desktop\datXObAAn1.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\datXObAAn1.exe "C:\Users\user\Desktop\datXObAAn1.exe"
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3376 -s 2292
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: datXObAAn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: datXObAAn1.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: datXObAAn1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: 6OindoC:\Windows\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\dll\System.pdbF source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb( source: WER8110.tmp.dmp.4.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbmhA source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.pdbN source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbm source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb" source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbb( source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: datXObAAn1.PDBp source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Web.Extensions.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb<(I source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\datXObAAn1.PDBChc source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6BD000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb<1 source: WER8110.tmp.dmp.4.dr
          Source: Binary string: C:\Users\user\Desktop\datXObAAn1.PDB source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE65A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Core.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8110.tmp.dmp.4.dr
          Source: Binary string: C:\Users\user\Desktop\datXObAAn1.PDB= source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbj source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb) source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.pdb8 source: WER8110.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER8110.tmp.dmp.4.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb> source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE6A1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 6OpC:\Users\user\Desktop\datXObAAn1.PDBp source: datXObAAn1.exe, 00000000.00000002.2682067178.0000004F361F1000.00000004.00000010.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: datXObAAn1.exe, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
          Source: datXObAAn1.exe, Program.cs.Net Code: password
          Source: datXObAAn1.exe, Program.cs.Net Code: webcampic
          Source: datXObAAn1.exe, Program.cs.Net Code: select_cam
          Source: datXObAAn1.exe, Program.cs.Net Code: get_cams
          Source: datXObAAn1.exe, Program.cs.Net Code: get_tokens
          Source: datXObAAn1.exeStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
          Source: C:\Users\user\Desktop\datXObAAn1.exeCode function: 0_2_00007FF848F13FFD push ebx; retf 000Bh0_2_00007FF848F13FCA
          Source: C:\Users\user\Desktop\datXObAAn1.exeCode function: 0_2_00007FF848F13F9D push ebx; retf 000Bh0_2_00007FF848F13FCA
          Source: C:\Users\user\Desktop\datXObAAn1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeMemory allocated: 15DC4460000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeMemory allocated: 15DDDEC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exe TID: 6088Thread sleep count: 243 > 30Jump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exe TID: 6088Thread sleep count: 255 > 30Jump to behavior
          Source: Amcache.hve.4.drBinary or memory string: VMware
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.4.drBinary or memory string: vmci.sys
          Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.4.drBinary or memory string: VMware20,1
          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: datXObAAn1.exe, 00000000.00000002.2683773544.0000015DDE630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>
          Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeQueries volume information: C:\Users\user\Desktop\datXObAAn1.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\datXObAAn1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Contains functionality to disable the Task Manager (.Net Source)
          Source: datXObAAn1.exe, Program.cs.Net Code: DisableTaskManager
          Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: datXObAAn1.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.datXObAAn1.exe.15dc4110000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2088969660.0000015DC4112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: datXObAAn1.exe PID: 3376, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: datXObAAn1.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.datXObAAn1.exe.15dc4110000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.2088969660.0000015DC4112000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: datXObAAn1.exe PID: 3376, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          Process Injection          		3
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Disable or Modify Tools          		LSASS Memory21
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Process Injection          		Security Account Manager3
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDS12
          System Information Discovery          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          datXObAAn1.exe76%ReversingLabsByteCode-MSIL.Trojan.DiscordRAT
          datXObAAn1.exe100%AviraTR/Agent.lsgui
          datXObAAn1.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          gateway.discord.gg
          		162.159.133.234
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://gateway.discord.gg/?v=9&encording=jsonfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://geolocation-db.com/jsondatXObAAn1.exefalse
                		high
                https://file.io/datXObAAn1.exefalse
                  		high
                  https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordStedatXObAAn1.exefalse
                    		high
                    https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dlldatXObAAn1.exefalse
                      		high
                      https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.ddatXObAAn1.exefalse
                        		high
                        https://gateway.discord.gg:443/?v=9&encording=jsondatXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://upx.sf.netAmcache.hve.4.drfalse
                            		high
                            http://gateway.discord.ggdatXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F75000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://gateway.discord.ggdatXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dlldatXObAAn1.exefalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedatXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://discord.com/api/v9/channels/datXObAAn1.exefalse
                                      		high
                                      https://gateway.discord.gg/?v=9&encording=jsonXdatXObAAn1.exe, 00000000.00000002.2683343767.0000015DC5F59000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discord.com/api/v9/guilds/datXObAAn1.exefalse
                                          		high
                                          https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gradatXObAAn1.exefalse
                                            		high
                                            http://www.google.com/maps/place/datXObAAn1.exefalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.159.133.234
                                              		gateway.discord.ggUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1569809
                                              Start date and time:2024-12-06 10:24:32 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 25s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:datXObAAn1.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:047501531983682c470ca7560077477a.exe
                                              Detection:MAL
                                              Classification:mal80.troj.evad.winEXE@2/5@1/1
                                              EGA Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 12
                                              • Number of non-executed functions: 8
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 13.89.179.12
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target datXObAAn1.exe, PID 3376 because it is empty
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • VT rate limit hit for: datXObAAn1.exe

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              162.159.133.234skyljne.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • /goform/set_LimitClient_cfg

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              gateway.discord.ggEeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.130.234
                                              gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.136.234
                                              XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.130.234
                                              EeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.136.234
                                              gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.135.234
                                              XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              SecuriteInfo.com.Win64.MalwareX-gen.18133.14409.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.130.234
                                              BX7yRz7XqF.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 162.159.135.234
                                              jKSjtQ8W7O.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 162.159.135.234

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSEeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.130.234
                                              gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.136.234
                                              DEeQxdFfyL.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.11.231
                                              XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.130.234
                                              EeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.136.234
                                              gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.135.234
                                              XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              pn866G3CCj.lnkGet hashmaliciousUnknownBrowse
                                              • 104.21.21.242
                                              QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.178.93

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eEeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              EeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                              • 162.159.133.234
                                              REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.159.133.234
                                              fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 162.159.133.234
                                              Fiyat Teklifi_2038900001-MOKAPTO-06122024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 162.159.133.234

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_datXObAAn1.exe_66779dc1fffd4eb661d2492ec083b819cbcc8cca_1b8f093d_7adedaeb-d8fa-4449-833a-818683ca5137\Report.wer

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):1.1652515569464934
                                              Encrypted:false
                                              SSDEEP:192:3PGMbTnb1P08rLVcaWgdl/N6fmzuiFOZ24lO8J:fGMbTnbe8rLVcaL/gfmzuiFOY4lO8J
                                              MD5:EE618EFE97C0121F6CA90AC3C5B3514E
                                              SHA1:FF09A18F93AD45B7F4021CF102A6732760B71AE0
                                              SHA-256:9838FD46AE75F1FC09350444D89C108E557F9B121E5FDD396DDF0B34E796D7AF
                                              SHA-512:5AFB6431D3A384D3133A36445A3519E5838AF3312732BB34C749A4273BEBEB308F8FB88BD0712B8F72253A288F0005255C22FE997AE3C1563C8CE7F50D4605FA
                                              Malicious:true
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.9.5.0.7.3.0.6.1.4.9.9.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.9.5.0.7.3.1.2.7.1.2.5.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.d.e.d.a.e.b.-.d.8.f.a.-.4.4.4.9.-.8.3.3.a.-.8.1.8.6.8.3.c.a.5.1.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.a.c.d.a.4.5.-.c.a.a.e.-.4.d.0.7.-.b.7.a.5.-.9.4.7.1.3.d.6.8.d.4.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.d.a.t.X.O.b.A.A.n.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.3.0.-.0.0.0.1.-.0.0.1.4.-.1.3.3.f.-.5.0.c.9.c.0.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.9.9.d.9.0.e.9.b.6.6.3.2.0.b.9.c.0.8.e.9.6.3.3.6.0.7.f.1.5.7.4.3.f.7.d.4.a.f.7.c.!.d.a.t.X.O.b.A.A.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER8110.tmp.dmp

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:Mini DuMP crash report, 16 streams, Fri Dec 6 09:25:30 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):533199
                                              Entropy (8bit):2.945283654611943
                                              Encrypted:false
                                              SSDEEP:3072:lC/ku2yA0MRSals4OhQhcS/PuB8Ytse6d29P4Of1CCqUix3+vGWoVmfyBOXpIymD:lC/h2yAvxlsxU/2B8Yie6d29PNvqL3Q
                                              MD5:13D27A4AF84EACA8CE6E9927CD29EE93
                                              SHA1:D08C83D2ED245839FE64B160546D7ABE7F53633A
                                              SHA-256:51B542540FA4DF8726E0F10BDABBE67478D43BCE7121B7A42707471ADD4051F4
                                              SHA-512:E687E24CBCE0752B0DB6526403411F334096CAB0E5B670669229ED96ACB8B22D8A12D86FB23497A6BFF9F1DE8F73A20CFCA6BD875B711FFC631F92C042AEC01F
                                              Malicious:false
                                              Reputation:low
                                              Preview:MDMP..a..... .........Rg....................................<....(...........(......4?..............l.......8...........T............Y..7............3...........5..............................................................................eJ......x6......Lw......................T.......0.....Rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER82D6.tmp.WERInternalMetadata.xml

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8804
                                              Entropy (8bit):3.7014652743117757
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJr5t6YEI5nvagmfZuEDxprr89bvKJVfGGBlm:R6lXJlt6YEmnvagmfnDgvKLfGG6
                                              MD5:8813FDFC0D7451B4C055C54CAAF62E3E
                                              SHA1:050D3E6698FC5C67E19AE18CC1C4EB649BE99B86
                                              SHA-256:654AFCCD7028BEAB6214E035BD2B8A47C9348EA92669BA0E06F161C736C716A1
                                              SHA-512:EE189350408370BCD9F1C6FD478FE26DC002A445D7CE86C49923BE9CD948D889B05A18266BEB2319937F95DDE6C51D9DC9A90489A66920123D3D881A0DCC0D0E
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.7.6.<./.P.i.

                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER8325.tmp.xml

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4806
                                              Entropy (8bit):4.469354964586806
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsZIJg771I9LIWpW8VYeYm8M4Jj4b6F1Iyq8vK4b050O2dd:uIjf4I78h7VKJUlWxq0O2dd
                                              MD5:748A9B05C0A69DC0408DAAF642D4432E
                                              SHA1:6D16A933567A43C5BB8C27031D71341F062CA21B
                                              SHA-256:B079F0596228C759D40909355C93FDAAD4B6861E32DCFE49F80253D0F6297DD4
                                              SHA-512:4BE0E419E88A2ABB70ECA11930A5ACE46876ED4D0D78F26C11A9086054D59B33520844392A81975901D9CEA88B98E1AC5655EF0D4DE4C6344973AB5CBC739E9C
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="619228" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                              C:\Windows\appcompat\Programs\Amcache.hve

                                              Download File
                                              Process:C:\Windows\System32\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.4216755130307375
                                              Encrypted:false
                                              SSDEEP:6144:WSvfpi6ceLP/9skLmb0OT2WSPHaJG8nAgeMZMMhA2fX4WABlEnN60uhiTw:1vloT2W+EZMM6DFys03w
                                              MD5:41537D7390519A954D53BCF96118DFE1
                                              SHA1:BCF3E9CFE4BB142318F2C9E92427CCCC815B3493
                                              SHA-256:E5822D5FCC3A093EA8AD50909CB9F1AF5A56684096CB0FEBF8D13BE3C05E1195
                                              SHA-512:10B0C0B35AFF6A10FB823A9BE12D11CE44291DBE66CC348A23637887B73BCBC0BD0A75F83EC5D9028F55F499A2DC2F51496FDE26133DBF9FF429376DF03D4223
                                              Malicious:false
                                              Reputation:low
                                              Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3%..G...............................................................................................................................................................................................................................................................................................................................................2.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.481972869800377
                                              TrID:
                                              • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                              • Win64 Executable GUI (202006/5) 46.43%
                                              • Win64 Executable (generic) (12005/4) 2.76%
                                              • Generic Win/DOS Executable (2004/3) 0.46%
                                              • DOS Executable Generic (2002/1) 0.46%
                                              File name:datXObAAn1.exe
                                              File size:80'384 bytes
                                              MD5:047501531983682c470ca7560077477a
                                              SHA1:99d90e9b66320b9c08e9633607f15743f7d4af7c
                                              SHA256:b3bf1cabe7e98e7120e69d3d5c63cea55dd9345aa9facae7a97a84134eaf1984
                                              SHA512:47e76b0d14c5d2f601b087413bfa9ba6a00ea11a9ec6666e4787c926b0a2df92da313ed4fe6736913d623de21683ea876006eb43d75a10cd5902be6a2b662bab
                                              SSDEEP:1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+JPIC:5Zv5PDwbjNrmAE+5IC
                                              TLSH:1D73B8C877AD8903FBBF5EBD147141524B72BB17E935F68D088C54E611B2B828C42B9B
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2............... .....@..... ....................................`...@......@............... .....

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x140000000
                                              Entrypoint Section:
                                              Digitally signed:false
                                              Imagebase:0x140000000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:

                                              Entrypoint Preview

                                              Instruction
                                              dec ebp
                                              pop edx
                                              nop
                                              add byte ptr [ebx], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax+eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x5b6.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x130380x132007bd512c640b948f8b20b575e45af07b6False0.3582388684640523data5.50802492431089IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x160000x5b60x600bea68bc442fa63fbe2807c2fdac84be0False0.416015625data4.08919936126734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0x160a00x32cdata0.41995073891625617
                                              RT_MANIFEST0x163cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 6, 2024 10:25:29.137494087 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:29.137554884 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:29.137655020 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:29.155109882 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:29.155123949 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.373792887 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.373970985 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:30.378084898 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:30.378106117 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.378367901 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.422703981 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:30.616764069 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:30.663330078 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.966092110 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.966156006 CET44349704162.159.133.234192.168.2.5
                                              Dec 6, 2024 10:25:30.966223001 CET49704443192.168.2.5162.159.133.234
                                              Dec 6, 2024 10:25:30.973238945 CET49704443192.168.2.5162.159.133.234

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 6, 2024 10:25:28.982750893 CET5900453192.168.2.51.1.1.1
                                              Dec 6, 2024 10:25:29.125179052 CET53590041.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 6, 2024 10:25:28.982750893 CET192.168.2.51.1.1.10xb626Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 6, 2024 10:25:29.125179052 CET1.1.1.1192.168.2.50xb626No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                              Dec 6, 2024 10:25:29.125179052 CET1.1.1.1192.168.2.50xb626No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                              Dec 6, 2024 10:25:29.125179052 CET1.1.1.1192.168.2.50xb626No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                              Dec 6, 2024 10:25:29.125179052 CET1.1.1.1192.168.2.50xb626No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                              Dec 6, 2024 10:25:29.125179052 CET1.1.1.1192.168.2.50xb626No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • gateway.discord.gg

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549704162.159.133.2344433376C:\Users\user\Desktop\datXObAAn1.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-06 09:25:30 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                              Connection: Upgrade,Keep-Alive
                                              Upgrade: websocket
                                              Sec-WebSocket-Key: vSkIBpAWb8swBcYy17y7pg==
                                              Sec-WebSocket-Version: 13
                                              Host: gateway.discord.gg
                                              2024-12-06 09:25:30 UTC618INHTTP/1.1 404 Not Found
                                              Date: Fri, 06 Dec 2024 09:25:30 GMT
                                              Content-Length: 0
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9K%2FP6QVMyenNlpBg2RTZ6JUvqrtX5UROQh8w39RQI8RoqbLJk6F9I%2Bb3Y4lkfBQxL0SOAXRVDgEk6U1%2FAXecZrZ1SjnNBQeYkeg%2FM5UVcspl04zxdlz5E%2F1Y5qVTKfCpuUna2A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              X-Content-Type-Options: nosniff
                                              Server: cloudflare
                                              CF-RAY: 8edb3aa3487a43c7-EWR


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:25:27
                                              Start date:06/12/2024
                                              Path:C:\Users\user\Desktop\datXObAAn1.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\datXObAAn1.exe"
                                              Imagebase:0x15dc4110000
                                              File size:80'384 bytes
                                              MD5 hash:047501531983682C470CA7560077477A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: 00000000.00000000.2088969660.0000015DC4112000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:04:25:30
                                              Start date:06/12/2024
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 3376 -s 2292
                                              Imagebase:0x7ff6bfbe0000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FF848F10800 Relevance: 38.0, Strings: 30, Instructions: 501COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (]H$(_H$(`H$(aH$8`H$8aH$;O_I$<O_I$=O_I$>O_I$H^H$H_H$H`H$HaH$P\H$X^H$X_H$X`H$XaH$h^H$h_H$h`H$haH$p]H$x^H$x`H$xaH$\H$^H$`H
                                                • API String ID: 0-1131385418
                                                • Opcode ID: 5efe219a48fd4d4bf234b860d673b11c814965ffa573fbad9cb30a2ae6c43d0a
                                                • Instruction ID: 4a97c34055d995178da199b36a2485685191a80a173aca29a6a12a6ebceeb411
                                                • Opcode Fuzzy Hash: 5efe219a48fd4d4bf234b860d673b11c814965ffa573fbad9cb30a2ae6c43d0a
                                                • Instruction Fuzzy Hash: 37F1DA73D0EAE28FE255A77C68161385E90FFD3B50B9845FBC4888B1DFEA189D0A4345
                                                Function 00007FF848F1230E Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: {=O_^
                                                • API String ID: 0-164548977
                                                • Opcode ID: 4d9702b99eb07f1afd6e443da11d170ac4ac6dec8b2928c54a152e8006f0d32d
                                                • Instruction ID: 83617183676ab037b6c165c6df380bc8e7b0af83d3e90ed2337bb7beaef7e36e
                                                • Opcode Fuzzy Hash: 4d9702b99eb07f1afd6e443da11d170ac4ac6dec8b2928c54a152e8006f0d32d
                                                • Instruction Fuzzy Hash: ACE04F7145CB088FC344EF18D44049AB7E0FF94360F800B2EF49AC21A1DB7595818A82
                                                Function 00007FF848F123F2 Relevance: .4, Instructions: 365COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 055bb70f0c31129d4aec9cdb1405c55c3ff262c86ddff139f902a508ce26b1e9
                                                • Instruction ID: 90cff2f20b23311c119f9bbd1ca5da1af4f3debf55c12921a80835298e846dcd
                                                • Opcode Fuzzy Hash: 055bb70f0c31129d4aec9cdb1405c55c3ff262c86ddff139f902a508ce26b1e9
                                                • Instruction Fuzzy Hash: EBC1C430A19A4E8FDB99EF68C455AAA77E1FF94350F1405A9D40AC72D6CB39EC42CB40
                                                Function 00007FF848F10E65 Relevance: .3, Instructions: 282COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b5cdf6e6a8d1df526f0f816db7b29e920a97432d4f6939e5e4c19a943cda35d
                                                • Instruction ID: 883d41bb863c649f7d488d24b14f652c40c2951254f545a4079e92ab6a8a8344
                                                • Opcode Fuzzy Hash: 4b5cdf6e6a8d1df526f0f816db7b29e920a97432d4f6939e5e4c19a943cda35d
                                                • Instruction Fuzzy Hash: 5881557254DB895FD382A7B8A81A5F97FF0EF8627074801FBC484CB1A2DA1C5C8AC715
                                                Function 00007FF848F10CA9 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df0cdb0204895be235d190d83d9435a09ddadab15945e1207cfa9fd45e782b06
                                                • Instruction ID: 4eaa4c3c1814aefa24f00704c50e54eefd511667f483cd43525f02c7a7361d01
                                                • Opcode Fuzzy Hash: df0cdb0204895be235d190d83d9435a09ddadab15945e1207cfa9fd45e782b06
                                                • Instruction Fuzzy Hash: D751BE3290D6EA5FE762773458251E57FA0DF863A0F0902FAD888CB0D3DE1D6C1A8356
                                                Function 00007FF848F12448 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 743f19d48b923e9b6f07a47712a10cc7f9b52071658dcfd67b3752bed3de1ae0
                                                • Instruction ID: 0ccbf9a1e99b373fd30636477835a0c832a355d781b1907f3ee6133d8e0115be
                                                • Opcode Fuzzy Hash: 743f19d48b923e9b6f07a47712a10cc7f9b52071658dcfd67b3752bed3de1ae0
                                                • Instruction Fuzzy Hash: A3515131A19A4A8FDB98EF58C494ABA77E1FFA8350F14057AD409C7696CF34EC418B44
                                                Function 00007FF848F13B4D Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0728dd5990a199ac5b9eb3ee025cb4dc466b59378410d1051673d7ac27fb62cd
                                                • Instruction ID: bc61553b9bcfbbc66662eb2d39788b65c2b0ef7bad470b31abe8f01cc6d8c689
                                                • Opcode Fuzzy Hash: 0728dd5990a199ac5b9eb3ee025cb4dc466b59378410d1051673d7ac27fb62cd
                                                • Instruction Fuzzy Hash: 53518070918B1C8FDB58EF58D8456E9BBF1FB99310F00826BD449D7256DB34A885CBC2
                                                Function 00007FF848F10D15 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee9aa882aa120fe5d69b0c9a2380adb226b02e9df52103d612283a4981cd5544
                                                • Instruction ID: 36f2cafc4189df51c8a1203b2cce32fdc860f0310f64a9e535e64c8edd96e475
                                                • Opcode Fuzzy Hash: ee9aa882aa120fe5d69b0c9a2380adb226b02e9df52103d612283a4981cd5544
                                                • Instruction Fuzzy Hash: 0C216D32D0D96E4EEBA4B72848122FA76E1EFC9390F44017AD81DC25C3DF197C1A0685
                                                Function 00007FF848F12116 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5cd3237f13bfb72659b658b5794dae13f63242c81f86480d514a97559f9f17f
                                                • Instruction ID: 9aa45b2738bdd32c4f4c3fc8fef3431773c7938e6b5cafd6e8ae4aff2030605c
                                                • Opcode Fuzzy Hash: e5cd3237f13bfb72659b658b5794dae13f63242c81f86480d514a97559f9f17f
                                                • Instruction Fuzzy Hash: F9F0B73160864E8FCF85EF48D4419EBB7A1FFA8310B104666E519C7189CA34E9558BC4
                                                Function 00007FF848F110C9 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0983931071cb5e69647e040e818663a2d9cfd56a12bf909c61fdc1ed1e780468
                                                • Instruction ID: 4026c6fd158df3ae1c2ec3abe2f662581811951a01eabb88b1205ccfdb77731f
                                                • Opcode Fuzzy Hash: 0983931071cb5e69647e040e818663a2d9cfd56a12bf909c61fdc1ed1e780468
                                                • Instruction Fuzzy Hash: 52E02B3190D7950FE359B36C18513717EE2DF89200F0440FFD089C36E3C9891C414352
                                                Function 00007FF848F123BD Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5e8e5f1975ea1acf51d31757b191d1957ac1f08055f9de4543f33268d412ffa
                                                • Instruction ID: e970f4fe034e9bf5e76a2e2c0e5a99089aca11883c0479705a6274fec3ef2c9b
                                                • Opcode Fuzzy Hash: c5e8e5f1975ea1acf51d31757b191d1957ac1f08055f9de4543f33268d412ffa
                                                • Instruction Fuzzy Hash: 2CE0C221F4A81E4DEB44F3B4281A1FEB266EFC4344FC00831E40DC20C3CE2C29010185
                                                Function 00007FF848F10CF3 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48097dd408900e63533ac948ce191eff3c14084904da843f5a09efc5858e6da8
                                                • Instruction ID: 2e23e301994167f2fa728653578e2e06e44a5569bf6ac953a7a497e8fe5782b9
                                                • Opcode Fuzzy Hash: 48097dd408900e63533ac948ce191eff3c14084904da843f5a09efc5858e6da8
                                                • Instruction Fuzzy Hash: F7C0123246C6495BD341B710E4418EA7390FFD0750F841B39F04A41099DD6566458581

                                                Non-executed Functions

                                                Function 00007FF848F112D1 Relevance: .4, Instructions: 367COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0bfe508631120ffc3877866a616f4e658cbb90c6c2943239df66cb1d69ef3a0
                                                • Instruction ID: f6248420d1b0f3cf67c3a641dbdcd350624e2ac4f453aa228a1768d4e805217d
                                                • Opcode Fuzzy Hash: e0bfe508631120ffc3877866a616f4e658cbb90c6c2943239df66cb1d69ef3a0
                                                • Instruction Fuzzy Hash: 6AA1231BA1E562A9E65173BE74411EE6B60EFC13B9F084677D24C8D4C34B0D68C682FD
                                                Function 00007FF848F112E0 Relevance: .4, Instructions: 365COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39ce1342612bec98efd202b19fe22e574b857b856ff6302e3654dceb6dd8c460
                                                • Instruction ID: a2f4ed352c4ff8bb184fa84ac58377640be17c938a1511b3d467cb985460dade
                                                • Opcode Fuzzy Hash: 39ce1342612bec98efd202b19fe22e574b857b856ff6302e3654dceb6dd8c460
                                                • Instruction Fuzzy Hash: 64A11E17A1E562A9E65173BE74461EA6B60EF813B9F084777D28C8D0C34F0D68C582FD
                                                Function 00007FF848F113D3 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0750cb3131ba6d068c55bddae2200c0fc3a199af5c37e4e6188020b34692039b
                                                • Instruction ID: 4009f2bbbbd760dd1ef7fffd8efbccad99be8623632277355cbf4820d08cc127
                                                • Opcode Fuzzy Hash: 0750cb3131ba6d068c55bddae2200c0fc3a199af5c37e4e6188020b34692039b
                                                • Instruction Fuzzy Hash: B6510F57A2F562A5E25132BE74065FA6B64EF813B9F484777E24C8D0834F0C68C682FD
                                                Function 00007FF848F113FB Relevance: .2, Instructions: 243COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d9fe190739dc8e2547c503224a4f58e132d4157addba4b2db9c72d3c9137c56
                                                • Instruction ID: f58bc6b89289d1f78403ef4c8f7d4e1b2fc1f47e782810d3301910249b3d61b7
                                                • Opcode Fuzzy Hash: 8d9fe190739dc8e2547c503224a4f58e132d4157addba4b2db9c72d3c9137c56
                                                • Instruction Fuzzy Hash: 10510E57A2B562A9E25132BD74065EA6B64EF813F9F088777E14C8D0834F0C648682FD
                                                Function 00007FF848F1083F Relevance: 38.0, Strings: 30, Instructions: 473COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (]H$(_H$(`H$(aH$8`H$8aH$;O_I$<O_I$=O_I$>O_I$H^H$H_H$H`H$HaH$P\H$X^H$X_H$X`H$XaH$h^H$h_H$h`H$haH$p]H$x^H$x`H$xaH$\H$^H$`H
                                                • API String ID: 0-1131385418
                                                • Opcode ID: fc243e506cde565604c108fc50acc86e1ee19c3baba26f741a7243a3deaed4a5
                                                • Instruction ID: 624a6a92b633ba9d4611e51e9a4863fcc1382e3098f70000f5c13078cdcb69f2
                                                • Opcode Fuzzy Hash: fc243e506cde565604c108fc50acc86e1ee19c3baba26f741a7243a3deaed4a5
                                                • Instruction Fuzzy Hash: BAE1ED73D0EAE28FE255677C68161385E90FFD3B50B9944FBC4888B1DFEA189D094345
                                                Function 00007FF848F10958 Relevance: 26.6, Strings: 21, Instructions: 353COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (_H$(`H$(aH$8`H$8aH$;O_I$<O_I$=O_I$H_H$H`H$HaH$X_H$X`H$XaH$h_H$h`H$haH$x`H$xaH$^H$`H
                                                • API String ID: 0-2426327800
                                                • Opcode ID: 4cc017994664f1fa84d50591c0d009584fc0cf0d60566bb89e75a0c4383fe641
                                                • Instruction ID: d82af930646a875894390b87d1c29b74a11cf2b79420298e3b117378d2b186db
                                                • Opcode Fuzzy Hash: 4cc017994664f1fa84d50591c0d009584fc0cf0d60566bb89e75a0c4383fe641
                                                • Instruction Fuzzy Hash: DBB1DC73D0EAE28FE255A77CA81A1385E50BFD3B50B9845FBC4888B1DFEA189D094345
                                                Function 00007FF848F103C2 Relevance: 7.6, Strings: 6, Instructions: 118COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (]H$Ks]I$P\H$ns]I$p]H$\H
                                                • API String ID: 0-605431480
                                                • Opcode ID: 691c083c13f1f14cd11beb241d1aa74a002b26b7ea0379117dc0329cf931e39a
                                                • Instruction ID: 2a1a50350e73c5b362f1560d12c07d532d05fc50a5e088c500c5710705913f81
                                                • Opcode Fuzzy Hash: 691c083c13f1f14cd11beb241d1aa74a002b26b7ea0379117dc0329cf931e39a
                                                • Instruction Fuzzy Hash: 9931F662D0E9E24FF316233C28991386E91FFD3B50F5808FBC448CB0DBA5589D19435A
                                                Function 00007FF848F10428 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2684234145.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ff848f10000_datXObAAn1.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (]H$P\H$p]H$\H
                                                • API String ID: 0-2901508104
                                                • Opcode ID: 727fb4e5c17ac8fe8fcbe80d2ba13ded1f89883f58e0a99f9fb508a5f3899889
                                                • Instruction ID: 0c7d38486f32356f3ae4d82c3b223a14627e78286f94e8cc27eb76dfc2548545
                                                • Opcode Fuzzy Hash: 727fb4e5c17ac8fe8fcbe80d2ba13ded1f89883f58e0a99f9fb508a5f3899889
                                                • Instruction Fuzzy Hash: 2E21C326E0E9E24FE316237C38991386F91FFD3750B5808FBC448CB0DB95588C59435A