Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:Client-built.exe
Analysis ID:1572244
MD5:051a35afeeaefb8cd96b0fb74673fce5
SHA1:789f61f744f5db242338d2a681239e47920659d7
SHA256:e7f2b9453131a2040ff975e27915fe21f6b80953b12fe6d7309af2f6db45cb14
Tags:exeXWormuser-lontze7
Infos:

Detection

Discord Rat
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Client-built.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\Client-built.exe" MD5: 051A35AFEEAEFB8CD96B0FB74673FCE5)
    • WerFault.exe (PID: 1220 cmdline: C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

Threatname: Discord Rat

{"Discord Token": "MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o", "Server ID": "1313949691574226985"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Client-built.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordRatYara detected Discord RatJoe Security
      Process Memory Space: Client-built.exe PID: 6832JoeSecurity_DiscordRatYara detected Discord RatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.Client-built.exe.26500280000.0.unpackJoeSecurity_DiscordRatYara detected Discord RatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Client-built.exeAvira: detected
          Found malware configuration
          Source: Client-built.exeMalware Configuration Extractor: Discord Rat {"Discord Token": "MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o", "Server ID": "1313949691574226985"}
          Multi AV Scanner detection for submitted file
          Source: Client-built.exeReversingLabs: Detection: 65%
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.2% probability
          Machine Learning detection for sample
          Source: Client-built.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\System.pdb) source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdbNe source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt] source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp, WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB= source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\Client-built.PDBP\ source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE495.tmp.dmp.3.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.135.234 162.159.135.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 09:07:07 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zQvCRIfUa%2Fref6sxWM3WMRSg3c6mG5bBUlmHyiMCsTxo3gmI5wcap11iN8poWum2kY28iY26Kgxytm1jmYOhhGsEBpqW4JQ2Z3prMJ9%2BzpW3Oic9dH0VtTLBxUbTze6%2B28BGlg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8efc15350e0e436a-EWR
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
          Source: Client-built.exeString found in binary or memory: http://www.google.com/maps/place/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/channels/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: Client-built.exeString found in binary or memory: https://file.io/
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.2229419737.0000026500554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: Client-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: Client-built.exeString found in binary or memory: https://geolocation-db.com/json
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.4:49730 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B13FB0_2_00007FFD9B8B13FB
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B133C0_2_00007FFD9B8B133C
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B13D30_2_00007FFD9B8B13D3
          Source: C:\Users\user\Desktop\Client-built.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300
          Source: Client-built.exeStatic PE information: No import functions for PE file found
          Source: Client-built.exe, 00000000.00000000.1672809600.0000026500296000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Client-built.exe
          Source: Client-built.exeBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Client-built.exe
          Source: classification engineClassification label: mal88.troj.evad.winEXE@2/5@1/1
          Source: C:\Users\user\Desktop\Client-built.exeMutant created: NULL
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6832
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\023fc88e-e11d-41a7-b262-3baa0d384546Jump to behavior
          Source: Client-built.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Client-built.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\Client-built.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Client-built.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\Client-built.exeFile read: C:\Users\user\Desktop\Client-built.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Client-built.exe "C:\Users\user\Desktop\Client-built.exe"
          Source: C:\Users\user\Desktop\Client-built.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Client-built.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Client-built.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\System.pdb) source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdbNe source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt] source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp, WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB= source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\Client-built.PDBP\ source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE495.tmp.dmp.3.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Client-built.exe, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
          Source: Client-built.exe, Program.cs.Net Code: password
          Source: Client-built.exe, Program.cs.Net Code: webcampic
          Source: Client-built.exe, Program.cs.Net Code: select_cam
          Source: Client-built.exe, Program.cs.Net Code: get_cams
          Source: Client-built.exe, Program.cs.Net Code: get_tokens
          Source: Client-built.exeStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B3FFD push ebx; retf 000Bh0_2_00007FFD9B8B3FCA
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B3F9D push ebx; retf 000Bh0_2_00007FFD9B8B3FCA
          Source: C:\Users\user\Desktop\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 265004C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 2651A0B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exe TID: 3320Thread sleep count: 328 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exe TID: 3320Thread sleep count: 166 > 30Jump to behavior
          Source: Amcache.hve.3.drBinary or memory string: VMware
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.3.drBinary or memory string: vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.3.drBinary or memory string: VMware20,1
          Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Client-built.exe, 00000000.00000002.2229419737.0000026500554000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
          Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\Client-built.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Users\user\Desktop\Client-built.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Contains functionality to disable the Task Manager (.Net Source)
          Source: Client-built.exe, Program.cs.Net Code: DisableTaskManager
          Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          Process Injection          		3
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Disable or Modify Tools          		LSASS Memory21
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Process Injection          		Security Account Manager3
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDS12
          System Information Discovery          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Client-built.exe66%ReversingLabsByteCode-MSIL.Trojan.DiscordRAT
          Client-built.exe100%AviraTR/Agent.lsgui
          Client-built.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          gateway.discord.gg
          		162.159.135.234
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://gateway.discord.gg/?v=9&encording=jsonfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://geolocation-db.com/jsonClient-built.exefalse
                		high
                https://file.io/Client-built.exefalse
                  		high
                  https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSteClient-built.exefalse
                    		high
                    https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dllClient-built.exefalse
                      		high
                      https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.dClient-built.exefalse
                        		high
                        https://gateway.discord.gg:443/?v=9&encording=jsonClient-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://upx.sf.netAmcache.hve.3.drfalse
                            		high
                            http://gateway.discord.ggClient-built.exe, 00000000.00000002.2229817612.0000026502165000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://gateway.discord.ggClient-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dllClient-built.exefalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://discord.com/api/v9/channels/Client-built.exefalse
                                      		high
                                      https://gateway.discord.gg/?v=9&encording=jsonXClient-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://gateway.discord.gg/Client-built.exe, 00000000.00000002.2229419737.0000026500554000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://discord.com/api/v9/guilds/Client-built.exefalse
                                            		high
                                            https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20graClient-built.exefalse
                                              		high
                                              http://www.google.com/maps/place/Client-built.exefalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.159.135.234
                                                		gateway.discord.ggUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1572244
                                                Start date and time:2024-12-10 10:06:13 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 16s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Run name:Run with higher sleep bypass
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:Client-built.exe
                                                Detection:MAL
                                                Classification:mal88.troj.evad.winEXE@2/5@1/1
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 12
                                                • Number of non-executed functions: 3
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.177.85, 52.149.20.212, 13.107.246.63
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Client-built.exe, PID 6832 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                • VT rate limit hit for: Client-built.exe

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                162.159.135.234datXObAAn1.exeGet hashmaliciousDiscord RatBrowse
                                                  gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                                    xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                                      EUOgPjsBTC.exeGet hashmaliciousUnknownBrowse
                                                        BX7yRz7XqF.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                          jKSjtQ8W7O.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                            Sv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                              http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                https://bafybeid655cmhe6uwb6wx3qrnokcfyddv63kcnzkm3whfn2xbjyyhukh2m.ipfs.dweb.link/Get hashmaliciousUnknownBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  gateway.discord.ggdatXObAAn1.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.133.234
                                                                  EeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.130.234
                                                                  gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.136.234
                                                                  datXObAAn1.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.135.234
                                                                  XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.130.234
                                                                  EeXJoO1J62.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.136.234
                                                                  gcrY4QgzW9.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.135.234
                                                                  XZaysgiUfm.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.133.234
                                                                  SecuriteInfo.com.Win64.MalwareX-gen.18133.14409.exeGet hashmaliciousDiscord RatBrowse
                                                                  • 162.159.130.234

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CLOUDFLARENETUSKrnlSetup.exeGet hashmaliciousXWormBrowse
                                                                  • 104.20.3.235
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 104.21.96.1
                                                                  sjoslin@odeonuk.com_print.svgGet hashmaliciousUnknownBrowse
                                                                  • 172.67.156.226
                                                                  document.pif.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  • 172.67.177.134
                                                                  sjoslin@odeonuk.com_print.svgGet hashmaliciousUnknownBrowse
                                                                  • 172.67.156.226
                                                                  Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 104.26.12.205
                                                                  Request for Quotation_10.12.2024.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  SALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 172.67.177.134
                                                                  https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==Get hashmaliciousUnknownBrowse
                                                                  • 172.64.150.63

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0eKrnlSetup.exeGet hashmaliciousXWormBrowse
                                                                  • 162.159.135.234
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 162.159.135.234
                                                                  iboka6.htaGet hashmaliciousUnknownBrowse
                                                                  • 162.159.135.234
                                                                  Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 162.159.135.234
                                                                  SALARY_RECEIPT.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 162.159.135.234
                                                                  matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • 162.159.135.234
                                                                  aXxRRIGARH.exeGet hashmaliciousUnknownBrowse
                                                                  • 162.159.135.234
                                                                  aXxRRIGARH.exeGet hashmaliciousUnknownBrowse
                                                                  • 162.159.135.234
                                                                  Dfim58cp4J.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 162.159.135.234

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Client-built.exe_4a856199df7b2e5a35ad26791246a02c37618fad_352482eb_b52600bf-b939-4a6c-ab3a-dc1fd02ab166\Report.wer

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):65536
                                                                  Entropy (8bit):1.166191557038015
                                                                  Encrypted:false
                                                                  SSDEEP:192:MOfRdqKIHP08rLVEaWQdl/N6fmzuiFGZ24lO8k:FdqKr8rLVEar/gfmzuiFGY4lO8k
                                                                  MD5:21162E408EF63F68591E4923E65BF61B
                                                                  SHA1:2E8CDD961F7FA48967FD1AB9D518B0876D9B375E
                                                                  SHA-256:B41EB59A10A897CE5EEAD9A51296877E9C2F3EB00A1F7C9319837B101ACEB4F7
                                                                  SHA-512:E5B2D3B413C0D610CEC8BC0ACDBA41912EDCA675CE83D6160473F7C930AD5B6740768FC60C40C11C04A5C26423774EABC14C76D131060DD5745EDF6E861055A6
                                                                  Malicious:true
                                                                  Reputation:low
                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.9.5.2.2.7.7.7.5.7.2.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.9.5.2.2.8.4.4.7.6.0.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.2.6.0.0.b.f.-.b.9.3.9.-.4.a.6.c.-.a.b.3.a.-.d.c.1.f.d.0.2.a.b.1.6.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.7.2.9.7.6.a.-.9.e.8.8.-.4.4.8.8.-.b.3.5.9.-.7.7.4.0.a.b.4.d.6.9.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.C.l.i.e.n.t.-.b.u.i.l.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.b.0.-.0.0.0.1.-.0.0.1.4.-.8.3.1.3.-.7.d.e.1.e.2.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.7.8.9.f.6.1.f.7.4.4.f.5.d.b.2.4.2.3.3.8.d.2.a.6.8.1.2.3.9.e.4.7.9.2.0.6.5.9.d.7.!.C.l.i.e.n.t.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE495.tmp.dmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:Mini DuMP crash report, 16 streams, Tue Dec 10 09:07:08 2024, 0x1205a4 type
                                                                  Category:dropped
                                                                  Size (bytes):530057
                                                                  Entropy (8bit):2.9514692073727673
                                                                  Encrypted:false
                                                                  SSDEEP:3072:g+Z2Yz2RXcSwY11CCqO7XM9uG3+v0cJPji6VEoVmfyBOXpIymdSZmykH2z4UMwOv:Z27LqO7euG3QdvjHyFO
                                                                  MD5:B88F7DD7E172C7B8656E0D2CDF50C385
                                                                  SHA1:6810640270D93DE67E9E849CCF2EF1655415581C
                                                                  SHA-256:7782C9C0D6D6CE8EF1F9CA9EF28B5C7F71B747F76FB69917B2057017CDDD0F14
                                                                  SHA-512:6E4427EC8039FF23F68E42724435E968DA75AECCCC48989FAE5C31425BA435CDB535336AC9C094057433C8C6B1AE0B44EA8B706A699FCDEBD23285483B8FB91D
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:MDMP..a..... .........Xg....................................<....(...........(.......>..............l.......8...........T............Y...............3...........5..............................................................................eJ......x6......Lw......................T.............Xg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE65B.tmp.WERInternalMetadata.xml

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8814
                                                                  Entropy (8bit):3.6968992170415986
                                                                  Encrypted:false
                                                                  SSDEEP:192:R6l7wVeJIR6iJ6Y9c8gx8VBkgmfZ5EDw1prB89b6R2osfukBm:R6lXJIcU6YW8gxcSgmfUD56R2LfR8
                                                                  MD5:1DF273BCDE44E8BA5D5041E9177E17FA
                                                                  SHA1:A182AAA45F903BC99F1290AB4EC1CFD374DCE207
                                                                  SHA-256:77C1C8B45CD3777DBA70C06622FFCF30F60D303A9B7383155EB29AECD245B28A
                                                                  SHA-512:B36A4270C61ADDD3A84275F28637D2213AA6F9CE76852E9BADC7C5E0555D16F5E228CCD0EFD780CE343EC33AA8EB1F819B463630DCADF6A260A5AC549E21F19A
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.3.2.<./.P.i.

                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6AA.tmp.xml

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):4816
                                                                  Entropy (8bit):4.468849658418192
                                                                  Encrypted:false
                                                                  SSDEEP:48:cvIwWl8zsDEJg771I9X/kWpW8VY+Ym8M4JAVG4b6FK1yq8v2G4bWmcI0Y0Sd:uIjfDCI7W/97VCJAVdDW2dSmcI0Y0Sd
                                                                  MD5:711FD3690462401485B7D66688D760E0
                                                                  SHA1:1FD95D6B451CBB7A6C3D8CCEE24E2B467DD9135D
                                                                  SHA-256:3AC89242B83859C4AC90DB44E9641AFF79CCF56B6C53D1D243EC735D637BAD35
                                                                  SHA-512:E17773E8085CED63163071183C3154E994BFF07DD242ABEB2DD5CB88B04E568DAA1ACF117551F9D6BF73329F322FC3FE39B211EBCEC4EFA5234269D22A5ACDB1
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="624969" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                  Download File
                                                                  Process:C:\Windows\System32\WerFault.exe
                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                  Category:dropped
                                                                  Size (bytes):1835008
                                                                  Entropy (8bit):4.465671965429223
                                                                  Encrypted:false
                                                                  SSDEEP:6144:7IXfpi67eLPU9skLmb0b4yWSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSbZ:cXD94yWlLZMM6YFHS+Z
                                                                  MD5:33647831E0EFDAE7240022FFCEFA35BC
                                                                  SHA1:004C50D9CB5F353D1CE699FC238D307CC1ECDEC2
                                                                  SHA-256:A2FD628C7F80E1773FAFE8EC84DC309D98324B03F1BDF1C7EA83DD2710724CCC
                                                                  SHA-512:2FA10EFD2CE23D3A7C93B40AE70077CB42D73B9200EF51525EFD2869AC92D17766F228D2EB2504A25B2DD4F8DBE013D9E4D1BA7B4C8765CD1933A2C4F2B46F69
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.<x..J................................................................................................................................................................................................................................................................................................................................................o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):5.482104562444758
                                                                  TrID:
                                                                  • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                                  • Win64 Executable GUI (202006/5) 46.43%
                                                                  • Win64 Executable (generic) (12005/4) 2.76%
                                                                  • Generic Win/DOS Executable (2004/3) 0.46%
                                                                  • DOS Executable Generic (2002/1) 0.46%
                                                                  File name:Client-built.exe
                                                                  File size:80'384 bytes
                                                                  MD5:051a35afeeaefb8cd96b0fb74673fce5
                                                                  SHA1:789f61f744f5db242338d2a681239e47920659d7
                                                                  SHA256:e7f2b9453131a2040ff975e27915fe21f6b80953b12fe6d7309af2f6db45cb14
                                                                  SHA512:4369842c7798af4513c6d010ec154dcc7df4547e4b02ef7fe4d83059131e381334411c1f8390b24841e222fbce812100118ff1ec382e9a87a2d36bc7192e0ca6
                                                                  SSDEEP:1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+BqPIC:5Zv5PDwbjNrmAE+B2IC
                                                                  TLSH:7E73B8C877AD8903FBBF5EFD147141524B72BB17E935F68D088C54E611A2B828C42B9B
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2............... .....@..... ....................................`...@......@............... .....

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x140000000
                                                                  Entrypoint Section:
                                                                  Digitally signed:false
                                                                  Imagebase:0x140000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec ebp
                                                                  pop edx
                                                                  nop
                                                                  add byte ptr [ebx], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax+eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x5b6.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x130380x13200a472594be75743b74236f495b0c4d648False0.3583154616013072data5.508161091372907IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x160000x5b60x600bea68bc442fa63fbe2807c2fdac84be0False0.416015625data4.08919936126734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0x160a00x32cdata0.41995073891625617
                                                                  RT_MANIFEST0x163cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 10, 2024 10:07:05.727796078 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:05.727848053 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:05.727927923 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:05.746666908 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:05.746709108 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:06.962991953 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:06.963064909 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:06.985548973 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:06.985585928 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:06.985838890 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:07.035789967 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:07.521789074 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:07.563333035 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:07.878197908 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:07.878268003 CET44349730162.159.135.234192.168.2.4
                                                                  Dec 10, 2024 10:07:07.878331900 CET49730443192.168.2.4162.159.135.234
                                                                  Dec 10, 2024 10:07:07.885602951 CET49730443192.168.2.4162.159.135.234

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 10, 2024 10:07:05.577826023 CET5889853192.168.2.41.1.1.1
                                                                  Dec 10, 2024 10:07:05.715507030 CET53588981.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 10, 2024 10:07:05.577826023 CET192.168.2.41.1.1.10xd9f8Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 10, 2024 10:07:05.715507030 CET1.1.1.1192.168.2.40xd9f8No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 10:07:05.715507030 CET1.1.1.1192.168.2.40xd9f8No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 10:07:05.715507030 CET1.1.1.1192.168.2.40xd9f8No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 10:07:05.715507030 CET1.1.1.1192.168.2.40xd9f8No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                  Dec 10, 2024 10:07:05.715507030 CET1.1.1.1192.168.2.40xd9f8No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • gateway.discord.gg

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449730162.159.135.2344436832C:\Users\user\Desktop\Client-built.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-12-10 09:07:07 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                                                  Connection: Upgrade,Keep-Alive
                                                                  Upgrade: websocket
                                                                  Sec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==
                                                                  Sec-WebSocket-Version: 13
                                                                  Host: gateway.discord.gg
                                                                  2024-12-10 09:07:07 UTC614INHTTP/1.1 404 Not Found
                                                                  Date: Tue, 10 Dec 2024 09:07:07 GMT
                                                                  Content-Length: 0
                                                                  Connection: close
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zQvCRIfUa%2Fref6sxWM3WMRSg3c6mG5bBUlmHyiMCsTxo3gmI5wcap11iN8poWum2kY28iY26Kgxytm1jmYOhhGsEBpqW4JQ2Z3prMJ9%2BzpW3Oic9dH0VtTLBxUbTze6%2B28BGlg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                  X-Content-Type-Options: nosniff
                                                                  Server: cloudflare
                                                                  CF-RAY: 8efc15350e0e436a-EWR


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:04:07:04
                                                                  Start date:10/12/2024
                                                                  Path:C:\Users\user\Desktop\Client-built.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\Client-built.exe"
                                                                  Imagebase:0x26500280000
                                                                  File size:80'384 bytes
                                                                  MD5 hash:051A35AFEEAEFB8CD96B0FB74673FCE5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DiscordRat, Description: Yara detected Discord Rat, Source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:04:07:07
                                                                  Start date:10/12/2024
                                                                  Path:C:\Windows\System32\WerFault.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300
                                                                  Imagebase:0x7ff717310000
                                                                  File size:570'736 bytes
                                                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FFD9B8B0840 Relevance: 5.5, Strings: 4, Instructions: 484COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ;L_I$<L_I$=L_I$>L_I
                                                                    • API String ID: 0-2931572294
                                                                    • Opcode ID: e6ac0bf7cb588735e04461625fda45484b7aab8661324757892624154af24eb9
                                                                    • Instruction ID: 36faf8797a5c55b45240d7a8765343a7f417a9e21043702c46e43d6fa77968fa
                                                                    • Opcode Fuzzy Hash: e6ac0bf7cb588735e04461625fda45484b7aab8661324757892624154af24eb9
                                                                    • Instruction Fuzzy Hash: 03E13693B1FAD50FE7A147B918391287EA1FF49A5075906FBE0C44B1FBB805AA0587C2
                                                                    Function 00007FFD9B8B23F2 Relevance: .4, Instructions: 361COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e567dbbe91e99fa57731efaa3ce85ad524d45be37498177fba65890177d0f023
                                                                    • Instruction ID: 340fc7534960e423cdb36c95dd02a729aad6d114169f8b3ca731d54b480b4a7a
                                                                    • Opcode Fuzzy Hash: e567dbbe91e99fa57731efaa3ce85ad524d45be37498177fba65890177d0f023
                                                                    • Instruction Fuzzy Hash: 29C1FA70B19A4D4FDB99EF68C865AA977E1FF58300F1405BDD459C72E6CA34E842CB80
                                                                    Function 00007FFD9B8B0E65 Relevance: .3, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d17f9c947e587d391d3e8888191c9c94ea42ed358d633552efe5d5e5dd90b0d
                                                                    • Instruction ID: 43bc0e5b2e4a3a78e333d1e2354f6c48fd65e9ad6411692cfc3165399011e3e7
                                                                    • Opcode Fuzzy Hash: 5d17f9c947e587d391d3e8888191c9c94ea42ed358d633552efe5d5e5dd90b0d
                                                                    • Instruction Fuzzy Hash: 19812892A0EAC91FD762D7B868769EEBFF0DF5B25074806EAD0C58B1A7C9142413C781
                                                                    Function 00007FFD9B8B0CA9 Relevance: .2, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5b173b3722d8670a63908959e30391a79270787aa81738b29f7be8cc326078d
                                                                    • Instruction ID: d3b939278cf440f85bb50385c593cdc9b0f2e864d59627e2143af62cca74a282
                                                                    • Opcode Fuzzy Hash: b5b173b3722d8670a63908959e30391a79270787aa81738b29f7be8cc326078d
                                                                    • Instruction Fuzzy Hash: 6551F521A1E6DD0FE772977948315E97FA0DF4B650F0A02FAD488CB0E3D919291B8782
                                                                    Function 00007FFD9B8B2448 Relevance: .2, Instructions: 170COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2be09830dbd094255eccce464c161cdb78d0ce7875407e17ed7eba1cddcb87a4
                                                                    • Instruction ID: c7bb4552324d2872c0326774aec20a8b49fcce775c3e401e68e7ab77e1a74688
                                                                    • Opcode Fuzzy Hash: 2be09830dbd094255eccce464c161cdb78d0ce7875407e17ed7eba1cddcb87a4
                                                                    • Instruction Fuzzy Hash: A2517931B19A0E8FDBA9EF68D464ABA77E1FF58310B150579D419C32A5CF34E841CB81
                                                                    Function 00007FFD9B8B3B4D Relevance: .2, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 45e6849cffb7f6a0d950df1ab375d5f56d73bd8a2319b438908081567136b746
                                                                    • Instruction ID: 0e5a90b7c56ef9c5d3c2925be1f255e389fc05c4533b6404328d31c48162a50f
                                                                    • Opcode Fuzzy Hash: 45e6849cffb7f6a0d950df1ab375d5f56d73bd8a2319b438908081567136b746
                                                                    • Instruction Fuzzy Hash: FB51A170908B1C8FDB58DF98D8456EDBBF1FB99310F00426BE449D7256DA34A945CBC2
                                                                    Function 00007FFD9B8B0D15 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e09c7426d28286cd52aa8c2cc29771d3f88692b916e3d70a44b7eaeda4520aee
                                                                    • Instruction ID: 3abf8ceec55aa4c479d10c12447cdc9de6b0c849f4b0efa9a889928894d2d931
                                                                    • Opcode Fuzzy Hash: e09c7426d28286cd52aa8c2cc29771d3f88692b916e3d70a44b7eaeda4520aee
                                                                    • Instruction Fuzzy Hash: 3211C626F2A96E0AFBB4977948312F972D0EF4D750F4A0276D41DC35E3ED187A0A09C1
                                                                    Function 00007FFD9B8B2116 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75c4315c87b1547635e06b800ae619db330ea538a97e48521f02e590843ef2f4
                                                                    • Instruction ID: 568008c91cf9bca0b70e31cea1c62e801bfa5f141ea60a294c6a00c476a811b9
                                                                    • Opcode Fuzzy Hash: 75c4315c87b1547635e06b800ae619db330ea538a97e48521f02e590843ef2f4
                                                                    • Instruction Fuzzy Hash: 5DF03A31608A0F8FCF85DF48D8419EBB3A1FF58300B104662E419C3198DA30E951CBC0
                                                                    Function 00007FFD9B8B10C9 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: acb312743f9edbeb3445821f947e55497e04b1fabc0af66915c6938f98e8fa48
                                                                    • Instruction ID: 7a4ccfec7f9c3e2ac7a6698a75944005535ae4526d7ab01a9fbbb12de7735f9c
                                                                    • Opcode Fuzzy Hash: acb312743f9edbeb3445821f947e55497e04b1fabc0af66915c6938f98e8fa48
                                                                    • Instruction Fuzzy Hash: 1FF05520A1F7AA0FE72AA7BD08626653EE1DB4D100F0580FFC088C76E3C8889C4243A1
                                                                    Function 00007FFD9B8B23BD Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27e474e5a5f80ba6773577862c97e63b6923bab25a9f8c0e8ec7fe3f509b13c6
                                                                    • Instruction ID: a798777f6c63991a3dd66fa94af67c723aec480457c0bea320aa0fe9d6581b87
                                                                    • Opcode Fuzzy Hash: 27e474e5a5f80ba6773577862c97e63b6923bab25a9f8c0e8ec7fe3f509b13c6
                                                                    • Instruction Fuzzy Hash: 09E0C222F5582E49EF48B7B47C769FDF255DFC9200BC10876E02DC30CBDD192A020582
                                                                    Function 00007FFD9B8B230E Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 84db915599d70e288d7c9f0515e4641e8a95111ababb507c674acf08a8e80a65
                                                                    • Instruction ID: 7c426b12cb10e13670ffb6c31dc1ae2fef09ebd45c300fb6bebe0682855189e5
                                                                    • Opcode Fuzzy Hash: 84db915599d70e288d7c9f0515e4641e8a95111ababb507c674acf08a8e80a65
                                                                    • Instruction Fuzzy Hash: F3E04F31518B098BC344DF18D45049AF7E0FF94320F800B2EF05AC61B5DB7596818A82
                                                                    Function 00007FFD9B8B0CF3 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c9f77b1f4720391f20bd3a88591a55fe78cf9f6b409ce6295e43298a64d6259
                                                                    • Instruction ID: 9ae59eb98bba9d6e2e1c74bdc968456aee1715ca56b3d728359449a6816f8cd1
                                                                    • Opcode Fuzzy Hash: 9c9f77b1f4720391f20bd3a88591a55fe78cf9f6b409ce6295e43298a64d6259
                                                                    • Instruction Fuzzy Hash: A4C0123252C64D57D351AB10E461CEF7360FF90610F801B39F04A55099DD64A74585C2

                                                                    Non-executed Functions

                                                                    Function 00007FFD9B8B133C Relevance: .3, Instructions: 332COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 859890474cbbc662914725535a6d63238f999b169b62bfefdddcbf7efb7ff52c
                                                                    • Instruction ID: 23fb9e81d06b48ec39ec0e55487624bad97b1fd6f0d5aff7bdcd204e6e9d139d
                                                                    • Opcode Fuzzy Hash: 859890474cbbc662914725535a6d63238f999b169b62bfefdddcbf7efb7ff52c
                                                                    • Instruction Fuzzy Hash: 5791F257B0C57285E71B33FD7D2A8F9BB00DF823B9B0842B7D15D8A0D76949208792E6
                                                                    Function 00007FFD9B8B13D3 Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbfcba6d76018ae82dd046f278ac6c83ee130da5fc4aa08721c093e8bd02c383
                                                                    • Instruction ID: 5e03f0c01d2c8cfef371f88b4cf88e93f314d76b3f501edd096e9f7f4672258d
                                                                    • Opcode Fuzzy Hash: dbfcba6d76018ae82dd046f278ac6c83ee130da5fc4aa08721c093e8bd02c383
                                                                    • Instruction Fuzzy Hash: 63518287B0853694E31F33FD792A8FD6B00CF81379B0846B7E15E8A0DB5D49608392E6
                                                                    Function 00007FFD9B8B13FB Relevance: .2, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2230529066.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Client-built.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5488f1eb464641f7834b5a8b079337c2bf252073b044201229ed38e78a1b6a3d
                                                                    • Instruction ID: b648b3745c39fe5899efc54324b1782a6a2dd8a2f35acd545f4dcc350254a086
                                                                    • Opcode Fuzzy Hash: 5488f1eb464641f7834b5a8b079337c2bf252073b044201229ed38e78a1b6a3d
                                                                    • Instruction Fuzzy Hash: 50517383B0853695E31F32FD792A9FD6B40DF8137DB0842B7E16E8A0DB5D49608392E5