Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dF66DKQP7u.exe

Overview

General Information

Sample name:dF66DKQP7u.exe
renamed because original name is a hash value
Original sample name:160c5e731842e66b88ef13597bc948285fabf82539cd09cc7ccf0548233f6bd8.exe
Analysis ID:1579079
MD5:00aba1719ec22a25a96acfa88df5ae61
SHA1:38ce2766b03bceb128d3ba950933c2edd8669b81
SHA256:160c5e731842e66b88ef13597bc948285fabf82539cd09cc7ccf0548233f6bd8
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dF66DKQP7u.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\dF66DKQP7u.exe" MD5: 00ABA1719EC22A25A96ACFA88DF5AE61)
    • WerFault.exe (PID: 8172 cmdline: C:\Windows\system32\WerFault.exe -u -p 7296 -s 2988 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/b9mBR3Jm"], "Aes key": "<1111>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
dF66DKQP7u.exeJoeSecurity_XWormYara detected XWormJoe Security
    dF66DKQP7u.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      dF66DKQP7u.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xeb4b:$s6: VirtualBox
      • 0xeaa9:$s8: Win32_ComputerSystem
      • 0x11e9e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x11f3b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x12050:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10c0f:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\XClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\XClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xeb4b:$s6: VirtualBox
          • 0xeaa9:$s8: Win32_ComputerSystem
          • 0x11e9e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x11f3b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x12050:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10c0f:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xe94b:$s6: VirtualBox
            • 0xe8a9:$s8: Win32_ComputerSystem
            • 0x11c9e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x11d3b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11e50:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x10a0f:$cnc4: POST / HTTP/1.1
            00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: dF66DKQP7u.exe PID: 7296JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.0.dF66DKQP7u.exe.290000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  1.0.dF66DKQP7u.exe.290000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    1.0.dF66DKQP7u.exe.290000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xeb4b:$s6: VirtualBox
                    • 0xeaa9:$s8: Win32_ComputerSystem
                    • 0x11e9e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x11f3b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x12050:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10c0f:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\dF66DKQP7u.exe, ProcessId: 7296, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: dF66DKQP7u.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: dF66DKQP7u.exeMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/b9mBR3Jm"], "Aes key": "<1111>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: dF66DKQP7u.exeReversingLabs: Detection: 78%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: dF66DKQP7u.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: dF66DKQP7u.exeString decryptor: https://pastebin.com/raw/b9mBR3Jm
                    Source: dF66DKQP7u.exeString decryptor: <1111>
                    Source: dF66DKQP7u.exeString decryptor: <Xwormmm>
                    Source: dF66DKQP7u.exeString decryptor: XWorm V5.6
                    Source: dF66DKQP7u.exeString decryptor: USB.exe
                    Source: dF66DKQP7u.exeString decryptor: %AppData%
                    Source: dF66DKQP7u.exeString decryptor: XClient.exe
                    Source: dF66DKQP7u.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49714 version: TLS 1.2
                    Source: dF66DKQP7u.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer320Z, source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2346849744.0000000000864000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\dF66DKQP7u.PDB source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: zsymbols\dll\mscorlib.pdbpdb` source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Configuration.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbJ source: dF66DKQP7u.exe, 00000001.00000002.2346849744.0000000000864000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: 0C:\Windows\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4CF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp, WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb@ source: dF66DKQP7u.exe, 00000001.00000002.2346849744.0000000000864000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb` source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbz source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: indoC:\Windows\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://pastebin.com/raw/b9mBR3Jm
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: pastebin.com
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: dF66DKQP7u.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.dF66DKQP7u.exe.290000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
                    Source: global trafficHTTP traffic detected: GET /raw/b9mBR3Jm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /raw/b9mBR3Jm HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: global trafficDNS traffic detected: DNS query: zebby-22086.portmap.host
                    Source: dF66DKQP7u.exe, 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: dF66DKQP7u.exe, XClient.exe.1.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: dF66DKQP7u.exe, 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                    Source: dF66DKQP7u.exe, 00000001.00000002.2348727892.00000000026AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: dF66DKQP7u.exe, 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/b9mBR3Jm
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49714 version: TLS 1.2

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: dF66DKQP7u.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 1.0.dF66DKQP7u.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC345D961_2_00007FFAAC345D96
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC346B421_2_00007FFAAC346B42
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC3410281_2_00007FFAAC341028
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC341C511_2_00007FFAAC341C51
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 2988
                    Source: dF66DKQP7u.exe, 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlasherSoftwarePRO.exe4 vs dF66DKQP7u.exe
                    Source: dF66DKQP7u.exeBinary or memory string: OriginalFilenameFlasherSoftwarePRO.exe4 vs dF66DKQP7u.exe
                    Source: dF66DKQP7u.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: dF66DKQP7u.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 1.0.dF66DKQP7u.exe.290000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: dF66DKQP7u.exe, KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dF66DKQP7u.exe, KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dF66DKQP7u.exe, oiyWezAXIYnt3zmnfA81TgMQwU9jAKq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.1.dr, KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.1.dr, KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.csCryptographic APIs: 'TransformFinalBlock'
                    Source: XClient.exe.1.dr, oiyWezAXIYnt3zmnfA81TgMQwU9jAKq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: dF66DKQP7u.exe, 1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.csBase64 encoded string: 'uNkT7i/q4xOXWbXLCJyhw17xQHGieB/9VyHy7GT975VL68KQkjQ+LuNz4RlGkNwD'
                    Source: XClient.exe.1.dr, 1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.csBase64 encoded string: 'uNkT7i/q4xOXWbXLCJyhw17xQHGieB/9VyHy7GT975VL68KQkjQ+LuNz4RlGkNwD'
                    Source: dF66DKQP7u.exe, bsxkRdhnptfNnS9w9QGRbQFtkNNLhtutGQWlmKjmpMpGGC.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: dF66DKQP7u.exe, bsxkRdhnptfNnS9w9QGRbQFtkNNLhtutGQWlmKjmpMpGGC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: XClient.exe.1.dr, bsxkRdhnptfNnS9w9QGRbQFtkNNLhtutGQWlmKjmpMpGGC.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: XClient.exe.1.dr, bsxkRdhnptfNnS9w9QGRbQFtkNNLhtutGQWlmKjmpMpGGC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/7@19/2
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to behavior
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7296
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeMutant created: \Sessions\1\BaseNamedObjects\0xWH5JuMf0B1eqly
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\73bb0cd7-13f1-4514-bf0e-ba986d43691bJump to behavior
                    Source: dF66DKQP7u.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: dF66DKQP7u.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: dF66DKQP7u.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile read: C:\Users\user\Desktop\dF66DKQP7u.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\dF66DKQP7u.exe "C:\Users\user\Desktop\dF66DKQP7u.exe"
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 2988
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: XClient.lnk.1.drLNK file: ..\..\..\..\..\XClient.exe
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: dF66DKQP7u.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: dF66DKQP7u.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer320Z, source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Xml.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2346849744.0000000000864000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\dF66DKQP7u.PDB source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Drawing.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: zsymbols\dll\mscorlib.pdbpdb` source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Configuration.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbJ source: dF66DKQP7u.exe, 00000001.00000002.2346849744.0000000000864000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: 0C:\Windows\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4CF000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp, WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb@ source: dF66DKQP7u.exe, 00000001.00000002.2346849744.0000000000864000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Management.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B4EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb` source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbz source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: indoC:\Windows\mscorlib.pdb source: dF66DKQP7u.exe, 00000001.00000002.2353493643.000000001BE59000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WERDD9D.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WERDD9D.tmp.dmp.8.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: dF66DKQP7u.exe, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.ccjsucEfZAnVPpjylzydrGaWqrTnF4m9ABTBqXLMiiuKW0,_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.KBGpy9aGmokhtnMucMRiCeZmtjXDOj46brUmoRsi9zmn6p,_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.nMXemtxAlScf85EZb3o3EFLPLDCgJXTXKM6dk2blW5cbYc,_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.PczRbxULDToVKqOrWa1phh57lT6j4ni173WMrQrsi2uB13,KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.gn4LIQTgRVbnLjojNrPbWZAXm16pAea()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: dF66DKQP7u.exe, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{gDCzSo2zHk4W6cssFbucMA6pf9IqFOt[2],KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.u57WyLuMgR1ye1fDtVmKGnUavOhEx4vNbm3vP1y0jq8WnqxGLs96aLi5rKZSl3D(Convert.FromBase64String(gDCzSo2zHk4W6cssFbucMA6pf9IqFOt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.1.dr, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.ccjsucEfZAnVPpjylzydrGaWqrTnF4m9ABTBqXLMiiuKW0,_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.KBGpy9aGmokhtnMucMRiCeZmtjXDOj46brUmoRsi9zmn6p,_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.nMXemtxAlScf85EZb3o3EFLPLDCgJXTXKM6dk2blW5cbYc,_1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.PczRbxULDToVKqOrWa1phh57lT6j4ni173WMrQrsi2uB13,KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.gn4LIQTgRVbnLjojNrPbWZAXm16pAea()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: XClient.exe.1.dr, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{gDCzSo2zHk4W6cssFbucMA6pf9IqFOt[2],KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.u57WyLuMgR1ye1fDtVmKGnUavOhEx4vNbm3vP1y0jq8WnqxGLs96aLi5rKZSl3D(Convert.FromBase64String(gDCzSo2zHk4W6cssFbucMA6pf9IqFOt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: dF66DKQP7u.exe, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: rLxqBVjMdLc2Xg0u52fVHtIUzzLtzSw System.AppDomain.Load(byte[])
                    Source: dF66DKQP7u.exe, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: EC12twlbTHxX07otHzl80dmVFF3pvHt System.AppDomain.Load(byte[])
                    Source: dF66DKQP7u.exe, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: EC12twlbTHxX07otHzl80dmVFF3pvHt
                    Source: XClient.exe.1.dr, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: rLxqBVjMdLc2Xg0u52fVHtIUzzLtzSw System.AppDomain.Load(byte[])
                    Source: XClient.exe.1.dr, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: EC12twlbTHxX07otHzl80dmVFF3pvHt System.AppDomain.Load(byte[])
                    Source: XClient.exe.1.dr, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.cs.Net Code: EC12twlbTHxX07otHzl80dmVFF3pvHt
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC34795A push ebx; retf 1_2_00007FFAAC34796A
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC34815B push ebx; ret 1_2_00007FFAAC34816A
                    Source: dF66DKQP7u.exe, r4DWN3raJSM4tNoGjL47l2ggLqdCyXAy8NpURpcml47tqciORWKogQ4JL34EHVs.csHigh entropy of concatenated method names: 'QHctr4Uh5DhgMShgQExmitGJ15aydWy7htn9u5hCO6Es4A0KhRBgFUwPru6WGHl', 'aAhak3x9xvCpwQSOGYaaoPKruKXzb9rWEXaVUjKmB9QcgHEVJXSDfLIkBkQ6ICf', '_6jOh1yMwLhY2YkfmZnUAMYCjeSvjK6JTgZZ9ANXSEdyFrmZfO08grsPotBfEGAN', 'zObvaBYB6mU7TVWmtJsGlnCGbcY5mb3Me', 'TFdBGXZzTRKoqIujoqb2mBkmmzTJUp8Ik', 'ev9cG8CfiFPNlV7WLQjpANn8AzrRdQZVx', '_2PJ6ivzychCBEfjMVbqtVab53GvvmdHp2', 'ft7sCSjUDu7pf3kAGFtaUvnCD2dVjgC0I', 'u2Qoks3oFSVoLLAQETBIMtsmw79QUqOfr', 'CBqU6J1Irr7R4GaTXa2LBvEkNny4hGlIb'
                    Source: dF66DKQP7u.exe, 1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.csHigh entropy of concatenated method names: '_4IEE9bbB4wRhEKJ11YUMDLKk0ih5VKYKOhuWzxnR6', 'qIkIA9rFa1ftbq3zMngietesgcAWJBqjkF1Cgqe8q', 'yWMlgww3IWiePpmPbxfTr9f2tHPkOlZpyoeG2C6WE', 'ld7MqRSpwVtfoZzOwrnOMQ2949sCI2f9j4YpqJNdI'
                    Source: dF66DKQP7u.exe, BY5En6XuNm8xxQqaeJB9hUDkzse7I4EZV8A9TBHHPpQ4cH.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'IHAjg5JjlagMi51PggAwFxaPhMeq3FeY4x8lZHIRy', 'dLLkidhirZw0hvuMTTZrow84AadCvxdB0CK3cGhuh', '_7KfpQgSX6ft98Fkz3V9dJJ4O58nuyRPZhdlC482Be', 'o1rTulm9fFOl53J34mHvUmuc6eitbPggFjR9cP1Z0'
                    Source: dF66DKQP7u.exe, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.csHigh entropy of concatenated method names: 'llPDgSDBqPs0Mf0Yq4FBdylCtCulza1', 'rLxqBVjMdLc2Xg0u52fVHtIUzzLtzSw', 'LRBzu2GRQt9Ekx1z1SaGZDEycUbqHY8', 'w6dxGRomiujTUkySXMYsHeUNmlBJPKm', 'sMd1N0lkI71MjjFr0mBSnEoRce34XsD', 'CSuaFR1zptcDC5ovM67k70kKcLC8Soq', 'XGOnIaD3kmTT2xZDyp2Yyeq8DPG5MPa', 'WithODjZpNFATZ5GG6pSBSudwcE8VCi', 'tgxyOnQFlbvoAQnRJWwz00I5xytzxbU', 'Pj1HYheCOLmzcQXHkmbRhMwgelrlrWG'
                    Source: dF66DKQP7u.exe, IMQ0GHraOPSDgzK0XMX0kFQgdJmrG9X.csHigh entropy of concatenated method names: 'AMtDD0VMU1waTJ6u8xJFdiO0fQIYZSh', 'saM4TK1l8wzk0VMgsbdOSONSZB4Qyfv', 'uUJv3x5ZbuUL4L9Mv5Uu86kTp7uZj1U', 'IiCPwzFzfadB44iEQau46y5itEgVfPI', 'wmusNt1JlFiQSslOM2e97hU8C7hpQafydAPWBfmM6yZdWzFDN7zBW92UKf5fH9e4vg0uSdoMRfQ097x29K3yLValoo', 'RkDxyKuoQ6gwEMSo9o6EfdScnoXgosaovZ9S7Oz46CWTEiZT38a3pdHsaXw8ixeHjRDDgN9Df7WGl3HUOHRG02CkwZ', 'yalgRINOSZemA8ZSzjubce5SxyxX69Zcaw3NbRJbEv0b0QXDeSy3A48EHFEYz7Q1U4FHmZUob3XSry47KwoFjaBSY5', '_4hYoWsDbJI4KInmX3RbbAYmzDKn7ZBjNpHVESSHcApNDiC4FGW5uu4crSr97Ct27pnaSSsTx2Qy56SYmTnyJX5bzWB', 'cPxJhXdV6hhWQQE3CBwCfdV24I5IacZSxzyfRnShgduOZRWrkugaMFAm987sK2r7B2LlmBkMODgTNBGUvPFlCWfY6o', '_2nEaD2tBe65YlYGawIDJI810iwYkFgJuNbqZwOmHXcK2oeTtHah6VnIk2VrGEgo7PQd3AtYW24WjWoUbMX6ughYQ15'
                    Source: dF66DKQP7u.exe, dUhtYcP2QWO1uHa8T0tWPNNBHFMOafw.csHigh entropy of concatenated method names: 'znL7albMQPWHk8burRp7G10ca7WC7rN', 'EehpmDJAayUpqQvsvWMAliegM6wrDumWhTbkmn2eiXIxWiBsUruwe1du9H', 'L19fB9OQsk3PBkRRyg8M1mtqaoiNLLNuhW0geOfwkSMMA8g2rJyFyQ1eKu', 'k3G8H6ti0Sr6kuQbr4R2ZXnL2p0zglBLgepHhylW7n8T164zO4D9nyPnsD', 'u18bU1NLp02NAIGrcDM2BxlA672hM7aw7M3d9KogBcRI1DAmUUBcyAiOjr'
                    Source: dF66DKQP7u.exe, rDaWKiIIt6Cgva7rFPxxe6TugpHL7NM.csHigh entropy of concatenated method names: 'B1zNMgkvDWudLfmsuRxHKLCGULV1wXf', 'bO7kv4UtQJ7MaRG4pHAUysAYSBz15CP', 'MTo03Qn4jxTXhTmhXjpFWcvF8tZaARm', 'aESMWokGVtgEAWL3H5kzkGQQgpYK9YL', 'UlFpbY1dbOu4UCMWdaSDtEhZLlovq9l', 'DwbVGCaPeiTgAHlese7FM7Pz9Am1Q46', 'Lg5KLCt5l31Ft0fr1wUqbVjKU2SbNM8', '_96eEljE1MdeKVec7TtUJGrWjyi8k2e8', 'vV3peeKfEC0zLFJyAPpnvbGgnOFkXH7', 'TJlBjCl72akHC8zHX8Sr8CkoS98ljNU'
                    Source: dF66DKQP7u.exe, bsxkRdhnptfNnS9w9QGRbQFtkNNLhtutGQWlmKjmpMpGGC.csHigh entropy of concatenated method names: 'ZdbWkWBGOfe4JHN7dnGo6Jz65PNyYUGRL8og9EFxPQbO9J', 'sb0EeoGRDGClUpK7LU7bsziwsZmnWDz2iKfyDScKLliWhR', 'OjEu6K7GidoN12egvIwzitSk5Mu3CDzxV4dE3J18hHAocO', 'PmQ50LyydLvWNAtiv6bGJxU0sWiQsLn6UfRgyUjrdTXSTo', 'EKhMun48Eg0mFkf9hEdZGyiF0bPXIewacUYnAp7c2pWOXQ', 'DRnIaat7Gpq2SV2h6KQO6QtcT82Oykp', '_9y9SNjnG2yUJGSxwgAx6TVFxl1K3Z4V', '_0icPP6FHYCa4I4B3dSzISoLPkq0g7va', 'DhZHQDQVQJcpj7Lb1cyxvzhdJFDOr5T', 'BcgnnuFmAGujBEGvAXLrbMH3usQvmf0'
                    Source: dF66DKQP7u.exe, KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.csHigh entropy of concatenated method names: 'pi0Ul8ko0rhCJRw2BJlRiNpBuiPsXJj', 'T244QBf6gRGJYRgIz0mj4O1SE1KHI30', 'enBLLtXiiBvD9OPshaafHifcFQNu0Rr', 'qLaLnlg4i3MzJLEH8MdxmcteYpAEV3l', 'tx1Igd01NplohDklljKB5Vye6YVJj01', 'ZQBIshKJomKA7TCGp7jgm51b592NNf5', '_8qaG2hXmvpWoR9LLuoEo7qWIEIPgwZQ', 'rRNdIoQtTHS3vcWDCJAnDdonNmyPV5R', 'RStURPI8Jenh2ZLMjWbYhVyubKfwtWo', 'DaKxoPButXBD8A2YJLsFZwiaFaiSWAM'
                    Source: dF66DKQP7u.exe, ojTPvPXsCM8jsZX8VGRUfetjEDioIPkY1PJL8yJ3DFZ4Y6.csHigh entropy of concatenated method names: 'W1Fgl0prhJ8N9ZlmSkAiEXUb6UNfsXu2uVqll1U0i90zLg', 'LvpvLMgv455xQjPYpo3kUMqWiXhjef0Jiupq00Vx7b6bFO', 'on6Tqx58ucg7cHfXk6k1ADqdtA9WUipscaw12p6iyyM2LZ', 'n4FlkHWwqgNJ8hIZga395BdwZEHfzhp22mvgO2zUed9UvL', 'OpW7mVqlyvCiOpKXbi02MeZJK1TcNCSyFo3QVyLYrtnQwj', 'Phg2uxLcrMon4NP3bkuJLQnUCdlMgZzFYvun9c48da3PuV', 'FwTFgtgf7ZMMtalu25KNSPfzLZtGEROmesfn2ApHlNlA3m', 'BaBMz1Rhyoiz5lV7k38z6Ctpb2k7LwHinkTPPpI4Mg8yG5', 'ns4itK24m34LvtZJAPgzJhYoot8VTyWgos5iKHJQKzQbvk', 'MLMke35M9sad9Mj5eGkqel83t9gFMfSJPuLSEJ8wEEfcXx'
                    Source: dF66DKQP7u.exe, oiyWezAXIYnt3zmnfA81TgMQwU9jAKq.csHigh entropy of concatenated method names: 'JrlP2yQdPSisQknwF1tQdDAIWRxtVNf', 'PNi9SZsuNhKj1w1ODcPDLFKDxM6UAQLoWVUoXmO3YsthqwGkfn7v0iQ9KYEXjo9Hnj6JnrMALXOLgTtA91FCHuBmX5', 'LOEKkfM8Yk38PAGfNLaLrIrWA2Dywu7g1cZCUBa0gdhw4D6LtsCrirCjPLFhCGLTulCUv5Z2q86RHa7tudxZ5Qia7L', 'GybcgUPsZiIgj8XQHPV3RHO1W5ozzBS1KwpVWW5kRTcgD8jKqQUuJRTLRwGGT5fKJODbcYFO2FSjP1KNQ2WfdXlqio', 'GpkaWnmVKYAuoojkjT95J26GtEGGw8D9fy8fTCckIoOyfaadIiMf1qyI9PXjHIB072khWLqouT8YxTXW2XvXwfLCup'
                    Source: XClient.exe.1.dr, r4DWN3raJSM4tNoGjL47l2ggLqdCyXAy8NpURpcml47tqciORWKogQ4JL34EHVs.csHigh entropy of concatenated method names: 'QHctr4Uh5DhgMShgQExmitGJ15aydWy7htn9u5hCO6Es4A0KhRBgFUwPru6WGHl', 'aAhak3x9xvCpwQSOGYaaoPKruKXzb9rWEXaVUjKmB9QcgHEVJXSDfLIkBkQ6ICf', '_6jOh1yMwLhY2YkfmZnUAMYCjeSvjK6JTgZZ9ANXSEdyFrmZfO08grsPotBfEGAN', 'zObvaBYB6mU7TVWmtJsGlnCGbcY5mb3Me', 'TFdBGXZzTRKoqIujoqb2mBkmmzTJUp8Ik', 'ev9cG8CfiFPNlV7WLQjpANn8AzrRdQZVx', '_2PJ6ivzychCBEfjMVbqtVab53GvvmdHp2', 'ft7sCSjUDu7pf3kAGFtaUvnCD2dVjgC0I', 'u2Qoks3oFSVoLLAQETBIMtsmw79QUqOfr', 'CBqU6J1Irr7R4GaTXa2LBvEkNny4hGlIb'
                    Source: XClient.exe.1.dr, 1AK3Ttea6hiWiERB6uEeMqZrkrqNUeHm2PZzTD3VAvB1CQ.csHigh entropy of concatenated method names: '_4IEE9bbB4wRhEKJ11YUMDLKk0ih5VKYKOhuWzxnR6', 'qIkIA9rFa1ftbq3zMngietesgcAWJBqjkF1Cgqe8q', 'yWMlgww3IWiePpmPbxfTr9f2tHPkOlZpyoeG2C6WE', 'ld7MqRSpwVtfoZzOwrnOMQ2949sCI2f9j4YpqJNdI'
                    Source: XClient.exe.1.dr, BY5En6XuNm8xxQqaeJB9hUDkzse7I4EZV8A9TBHHPpQ4cH.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'IHAjg5JjlagMi51PggAwFxaPhMeq3FeY4x8lZHIRy', 'dLLkidhirZw0hvuMTTZrow84AadCvxdB0CK3cGhuh', '_7KfpQgSX6ft98Fkz3V9dJJ4O58nuyRPZhdlC482Be', 'o1rTulm9fFOl53J34mHvUmuc6eitbPggFjR9cP1Z0'
                    Source: XClient.exe.1.dr, U9y2RavXwNpIAZsbEqXaxjthBCFD8Ud.csHigh entropy of concatenated method names: 'llPDgSDBqPs0Mf0Yq4FBdylCtCulza1', 'rLxqBVjMdLc2Xg0u52fVHtIUzzLtzSw', 'LRBzu2GRQt9Ekx1z1SaGZDEycUbqHY8', 'w6dxGRomiujTUkySXMYsHeUNmlBJPKm', 'sMd1N0lkI71MjjFr0mBSnEoRce34XsD', 'CSuaFR1zptcDC5ovM67k70kKcLC8Soq', 'XGOnIaD3kmTT2xZDyp2Yyeq8DPG5MPa', 'WithODjZpNFATZ5GG6pSBSudwcE8VCi', 'tgxyOnQFlbvoAQnRJWwz00I5xytzxbU', 'Pj1HYheCOLmzcQXHkmbRhMwgelrlrWG'
                    Source: XClient.exe.1.dr, IMQ0GHraOPSDgzK0XMX0kFQgdJmrG9X.csHigh entropy of concatenated method names: 'AMtDD0VMU1waTJ6u8xJFdiO0fQIYZSh', 'saM4TK1l8wzk0VMgsbdOSONSZB4Qyfv', 'uUJv3x5ZbuUL4L9Mv5Uu86kTp7uZj1U', 'IiCPwzFzfadB44iEQau46y5itEgVfPI', 'wmusNt1JlFiQSslOM2e97hU8C7hpQafydAPWBfmM6yZdWzFDN7zBW92UKf5fH9e4vg0uSdoMRfQ097x29K3yLValoo', 'RkDxyKuoQ6gwEMSo9o6EfdScnoXgosaovZ9S7Oz46CWTEiZT38a3pdHsaXw8ixeHjRDDgN9Df7WGl3HUOHRG02CkwZ', 'yalgRINOSZemA8ZSzjubce5SxyxX69Zcaw3NbRJbEv0b0QXDeSy3A48EHFEYz7Q1U4FHmZUob3XSry47KwoFjaBSY5', '_4hYoWsDbJI4KInmX3RbbAYmzDKn7ZBjNpHVESSHcApNDiC4FGW5uu4crSr97Ct27pnaSSsTx2Qy56SYmTnyJX5bzWB', 'cPxJhXdV6hhWQQE3CBwCfdV24I5IacZSxzyfRnShgduOZRWrkugaMFAm987sK2r7B2LlmBkMODgTNBGUvPFlCWfY6o', '_2nEaD2tBe65YlYGawIDJI810iwYkFgJuNbqZwOmHXcK2oeTtHah6VnIk2VrGEgo7PQd3AtYW24WjWoUbMX6ughYQ15'
                    Source: XClient.exe.1.dr, dUhtYcP2QWO1uHa8T0tWPNNBHFMOafw.csHigh entropy of concatenated method names: 'znL7albMQPWHk8burRp7G10ca7WC7rN', 'EehpmDJAayUpqQvsvWMAliegM6wrDumWhTbkmn2eiXIxWiBsUruwe1du9H', 'L19fB9OQsk3PBkRRyg8M1mtqaoiNLLNuhW0geOfwkSMMA8g2rJyFyQ1eKu', 'k3G8H6ti0Sr6kuQbr4R2ZXnL2p0zglBLgepHhylW7n8T164zO4D9nyPnsD', 'u18bU1NLp02NAIGrcDM2BxlA672hM7aw7M3d9KogBcRI1DAmUUBcyAiOjr'
                    Source: XClient.exe.1.dr, rDaWKiIIt6Cgva7rFPxxe6TugpHL7NM.csHigh entropy of concatenated method names: 'B1zNMgkvDWudLfmsuRxHKLCGULV1wXf', 'bO7kv4UtQJ7MaRG4pHAUysAYSBz15CP', 'MTo03Qn4jxTXhTmhXjpFWcvF8tZaARm', 'aESMWokGVtgEAWL3H5kzkGQQgpYK9YL', 'UlFpbY1dbOu4UCMWdaSDtEhZLlovq9l', 'DwbVGCaPeiTgAHlese7FM7Pz9Am1Q46', 'Lg5KLCt5l31Ft0fr1wUqbVjKU2SbNM8', '_96eEljE1MdeKVec7TtUJGrWjyi8k2e8', 'vV3peeKfEC0zLFJyAPpnvbGgnOFkXH7', 'TJlBjCl72akHC8zHX8Sr8CkoS98ljNU'
                    Source: XClient.exe.1.dr, bsxkRdhnptfNnS9w9QGRbQFtkNNLhtutGQWlmKjmpMpGGC.csHigh entropy of concatenated method names: 'ZdbWkWBGOfe4JHN7dnGo6Jz65PNyYUGRL8og9EFxPQbO9J', 'sb0EeoGRDGClUpK7LU7bsziwsZmnWDz2iKfyDScKLliWhR', 'OjEu6K7GidoN12egvIwzitSk5Mu3CDzxV4dE3J18hHAocO', 'PmQ50LyydLvWNAtiv6bGJxU0sWiQsLn6UfRgyUjrdTXSTo', 'EKhMun48Eg0mFkf9hEdZGyiF0bPXIewacUYnAp7c2pWOXQ', 'DRnIaat7Gpq2SV2h6KQO6QtcT82Oykp', '_9y9SNjnG2yUJGSxwgAx6TVFxl1K3Z4V', '_0icPP6FHYCa4I4B3dSzISoLPkq0g7va', 'DhZHQDQVQJcpj7Lb1cyxvzhdJFDOr5T', 'BcgnnuFmAGujBEGvAXLrbMH3usQvmf0'
                    Source: XClient.exe.1.dr, KtiRYWJSaCHYf7DGD98hs4alwRwCpfB.csHigh entropy of concatenated method names: 'pi0Ul8ko0rhCJRw2BJlRiNpBuiPsXJj', 'T244QBf6gRGJYRgIz0mj4O1SE1KHI30', 'enBLLtXiiBvD9OPshaafHifcFQNu0Rr', 'qLaLnlg4i3MzJLEH8MdxmcteYpAEV3l', 'tx1Igd01NplohDklljKB5Vye6YVJj01', 'ZQBIshKJomKA7TCGp7jgm51b592NNf5', '_8qaG2hXmvpWoR9LLuoEo7qWIEIPgwZQ', 'rRNdIoQtTHS3vcWDCJAnDdonNmyPV5R', 'RStURPI8Jenh2ZLMjWbYhVyubKfwtWo', 'DaKxoPButXBD8A2YJLsFZwiaFaiSWAM'
                    Source: XClient.exe.1.dr, ojTPvPXsCM8jsZX8VGRUfetjEDioIPkY1PJL8yJ3DFZ4Y6.csHigh entropy of concatenated method names: 'W1Fgl0prhJ8N9ZlmSkAiEXUb6UNfsXu2uVqll1U0i90zLg', 'LvpvLMgv455xQjPYpo3kUMqWiXhjef0Jiupq00Vx7b6bFO', 'on6Tqx58ucg7cHfXk6k1ADqdtA9WUipscaw12p6iyyM2LZ', 'n4FlkHWwqgNJ8hIZga395BdwZEHfzhp22mvgO2zUed9UvL', 'OpW7mVqlyvCiOpKXbi02MeZJK1TcNCSyFo3QVyLYrtnQwj', 'Phg2uxLcrMon4NP3bkuJLQnUCdlMgZzFYvun9c48da3PuV', 'FwTFgtgf7ZMMtalu25KNSPfzLZtGEROmesfn2ApHlNlA3m', 'BaBMz1Rhyoiz5lV7k38z6Ctpb2k7LwHinkTPPpI4Mg8yG5', 'ns4itK24m34LvtZJAPgzJhYoot8VTyWgos5iKHJQKzQbvk', 'MLMke35M9sad9Mj5eGkqel83t9gFMfSJPuLSEJ8wEEfcXx'
                    Source: XClient.exe.1.dr, oiyWezAXIYnt3zmnfA81TgMQwU9jAKq.csHigh entropy of concatenated method names: 'JrlP2yQdPSisQknwF1tQdDAIWRxtVNf', 'PNi9SZsuNhKj1w1ODcPDLFKDxM6UAQLoWVUoXmO3YsthqwGkfn7v0iQ9KYEXjo9Hnj6JnrMALXOLgTtA91FCHuBmX5', 'LOEKkfM8Yk38PAGfNLaLrIrWA2Dywu7g1cZCUBa0gdhw4D6LtsCrirCjPLFhCGLTulCUv5Z2q86RHa7tudxZ5Qia7L', 'GybcgUPsZiIgj8XQHPV3RHO1W5ozzBS1KwpVWW5kRTcgD8jKqQUuJRTLRwGGT5fKJODbcYFO2FSjP1KNQ2WfdXlqio', 'GpkaWnmVKYAuoojkjT95J26GtEGGw8D9fy8fTCckIoOyfaadIiMf1qyI9PXjHIB072khWLqouT8YxTXW2XvXwfLCup'
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: dF66DKQP7u.exe, 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: dF66DKQP7u.exe, XClient.exe.1.drBinary or memory string: SBIEDLL.DLLSWY8NTISNOLPGFEWPNW5RTJA6EXE6B1SEEPNT16YXESYVBELFYCBQVAEAXP2OSSNDKSL5YY9GJUU2AGT0OH5SPHRVAEZAG3EQE3QAXXRMEBLKSVNAB04KQSIKNSRP0SQESWGCDLCVYNL0NCNICBDWWTCMQ5XDVILIFXEBE08
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeMemory allocated: 1A660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599436Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599327Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598825Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598715Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598406Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598296Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598184Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597968Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597749Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597639Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597421Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597312Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597202Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597093Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596874Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596765Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596656Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596546Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596433Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596202Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595901Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595777Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595666Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595562Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595453Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595343Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595234Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595124Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595015Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594906Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594796Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594687Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594468Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594359Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594249Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeWindow / User API: threadDelayed 2082Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeWindow / User API: threadDelayed 7747Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599436s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599327s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598999s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598825s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598715s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598184s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -598078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597749s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597639s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597202s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -597093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596433s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596202s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -596015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595901s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595777s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595666s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -595015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exe TID: 7492Thread sleep time: -594249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599436Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599327Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598825Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598715Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598406Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598296Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598184Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597968Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597749Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597639Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597421Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597312Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597202Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 597093Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596874Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596765Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596656Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596546Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596433Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596202Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595901Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595777Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595666Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595562Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595453Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595343Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595234Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595124Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 595015Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594906Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594796Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594687Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594468Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594359Jump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeThread delayed: delay time: 594249Jump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: VMware
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: dF66DKQP7u.exe, 00000001.00000002.2352398529.000000001B421000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                    Source: XClient.exe.1.drBinary or memory string: vmware
                    Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                    Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeCode function: 1_2_00007FFAAC347341 CheckRemoteDebuggerPresent,1_2_00007FFAAC347341
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeQueries volume information: C:\Users\user\Desktop\dF66DKQP7u.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\dF66DKQP7u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: dF66DKQP7u.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.dF66DKQP7u.exe.290000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: dF66DKQP7u.exe PID: 7296, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: dF66DKQP7u.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.dF66DKQP7u.exe.290000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: dF66DKQP7u.exe PID: 7296, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Query Registry                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		2
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		LSASS Memory431
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		51
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Process Injection                    		NTDS51
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem23
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    dF66DKQP7u.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    dF66DKQP7u.exe100%AviraTR/Spy.Gen
                    dF66DKQP7u.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\XClient.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\XClient.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      pastebin.com
                      		104.20.3.235
                      		truefalse
                        		high
                        zebby-22086.portmap.host
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://pastebin.com/raw/b9mBR3Jmfalse
                            		high
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://upx.sf.netAmcache.hve.8.drfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedF66DKQP7u.exe, 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://pastebin.comdF66DKQP7u.exe, 00000001.00000002.2348727892.00000000026AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ip-api.comdF66DKQP7u.exe, 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      104.20.3.235
                                      		pastebin.comUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      208.95.112.1
                                      		ip-api.comUnited States
                                      		53334TUT-ASUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1579079
                                      Start date and time:2024-12-20 19:15:09 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 10s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Critical Process Termination
                                      Sample name:dF66DKQP7u.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:160c5e731842e66b88ef13597bc948285fabf82539cd09cc7ccf0548233f6bd8.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@2/7@19/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 8
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      • VT rate limit hit for: dF66DKQP7u.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      13:16:16API Interceptor1345246x Sleep call for process: dF66DKQP7u.exe modified
                                      19:16:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      gabe.ps1Get hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                      • pastebin.com/raw/sA04Mwk2
                                      sostener.vbsGet hashmaliciousNjratBrowse
                                      • pastebin.com/raw/V9y5Q5vv
                                      208.95.112.1fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      twE44mm07j.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • ip-api.com/line/?fields=hosting
                                      DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      dlhost.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                      • ip-api.com/json

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ip-api.comfvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      twE44mm07j.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      dlhost.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                      • 208.95.112.1
                                      pastebin.combad.txtGet hashmaliciousAsyncRATBrowse
                                      • 104.20.3.235
                                      dlhost.exeGet hashmaliciousXWormBrowse
                                      • 104.20.4.235
                                      htkeUc1zJ0.exeGet hashmaliciousUnknownBrowse
                                      • 104.20.4.235
                                      c2.exeGet hashmaliciousXmrigBrowse
                                      • 104.20.4.235
                                      Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                      • 172.67.19.24
                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                      • 104.20.4.235
                                      file.exeGet hashmaliciousXWormBrowse
                                      • 172.67.19.24
                                      main.exeGet hashmaliciousUnknownBrowse
                                      • 104.20.4.235
                                      CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                      • 104.20.4.235
                                      http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                      • 172.67.19.24

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUShttps://tekascend.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                      • 1.1.1.1
                                      YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 104.20.22.46
                                      http://url4659.orders.vanillagift.com/ls/click?upn=u001.4gSefN7qGt7uZc-2BljvSfDuK9c6f7zz-2BRDdNLkOmxp-2BfCpVRV4q5JSM05F18NmhW9aTh4D-2B-2FvKc3l62XSGdMxHErqjDyHVaRGnhWtdaxelWfxz8x2-2FY7A4qgb3tzDonO-2BR4v55hRVWLW8mGedQ4WKyhGmLG6TdN0VE3FuoaMfqbWnIJZADjzcMmwi0-2FbwmmeKkdfIhUk0sBHSi9RcRmdsfuOZwL5O2zEB6UFf08dp06kJXruK-2BF70HVCIIa3GSMCo48RLkzWG8dEOH-2FBZmckwy2IyrmhGk7TORgwM5bk4PbUxQPoYKq7IdXZDoj7BBWFZXgs6KkXD1kVfgQOsMLEKQeTvK5ATiMGw5YUv9FTPZiWgh4O-2B6hR3uc5gCam5ygOCJsmG3ya5dOP3AzZxmtrQO2ixrFnkLK-2Bkk5ChvTn26C-2BioOkvRUSczMMaDc3goe-2FffK-2FLybPlPtaG8BM0aogkRmbjy7uKwhjOW-2BFQyWewVzg-3DIgAR_79LTZgGyJjQA0yKF2CHqblXBaDJuc2sNW7Piu5vjvmdwcqDrB-2Buw9ZQukwHO-2BFDa1Pj-2BnPyP1wnuiUj8o1jeVFZ-2B0yTi1w6olXhC5xGcnSuX-2FPX8EC9nfY-2B3npShVzZ4Fae90bxak04TDiCsiP7PmtAOagYeRI4FU2qDP2MtD3eIC1vtRjmGkonGMDUW1rPFYKa2pBviC8swsnzOU26q7ssqOo-2FLjO6-2B2IyWprhTXXBsBk2HZWehLV3F8Prl0XOgIIe0Oi6f3V8mliLO9NN8Iw-3D-3DGet hashmaliciousUnknownBrowse
                                      • 104.19.230.21
                                      phish_alert_iocp_v1.10.16(15).emlGet hashmaliciousUnknownBrowse
                                      • 104.19.229.21
                                      https://lvxsystem.info/Get hashmaliciousUnknownBrowse
                                      • 172.67.183.243
                                      Set-up.exeGet hashmaliciousLummaC StealerBrowse
                                      • 104.21.84.113
                                      Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                      • 172.67.177.134
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRATBrowse
                                      • 172.67.197.170
                                      Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                      • 104.21.67.152
                                      Fortexternal.exeGet hashmaliciousUnknownBrowse
                                      • 172.67.75.163
                                      TUT-ASUSfvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      twE44mm07j.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                      • 208.95.112.1
                                      DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      dlhost.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 104.20.3.235
                                      P0RN-vidz.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                      • 104.20.3.235
                                      2AIgdyA1Cl.exeGet hashmaliciousStealc, VidarBrowse
                                      • 104.20.3.235
                                      Sentinelled.vbsGet hashmaliciousUnknownBrowse
                                      • 104.20.3.235
                                      mniscreenthinkinggoodforentiretimegoodfotbusubessthings.htaGet hashmaliciousCobalt StrikeBrowse
                                      • 104.20.3.235
                                      QUOTATION#008792.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.20.3.235
                                      Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.20.3.235
                                      https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
                                      • 104.20.3.235
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                      • 104.20.3.235
                                      ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                      • 104.20.3.235

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dF66DKQP7u.exe_a2f735f1513cf98bfc091faf5941cfa7a6_7b5c3970_6cf3e879-045d-4803-9a34-049021968e82\Report.wer

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.4032273371740966
                                      Encrypted:false
                                      SSDEEP:384:wFbzcN53ESthpa48iMxKezuiFsY4lO8/gs:Yb6ESthpatMezuiFsY4lO8
                                      MD5:B1FD6657366BC11E761C7705765B1F39
                                      SHA1:FC2347E718D53E48A07EC3EBB9D2D18858744F00
                                      SHA-256:C5C35F14411E324E43399421FB411852C20B82AD7DDFFBE0F062945E8EA6EF88
                                      SHA-512:B5BD86EAEF3B11078BA86529CA5B1859A41B017BFF9B3613576F936204508695146263ADD33D563B269F86B9EBC4C41ADA0F3A71BAACD818D9837635B5B0CCAE
                                      Malicious:true
                                      Reputation:low
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.9.9.4.3.5.1.1.5.8.0.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.f.3.e.8.7.9.-.0.4.5.d.-.4.8.0.3.-.9.a.3.4.-.0.4.9.0.2.1.9.6.8.e.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.6.3.4.c.3.d.-.b.e.0.9.-.4.0.3.4.-.b.0.e.3.-.b.4.e.5.c.b.d.6.6.6.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.d.F.6.6.D.K.Q.P.7.u...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.l.a.s.h.e.r.S.o.f.t.w.a.r.e.P.R.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.8.0.-.0.0.0.1.-.0.0.1.4.-.0.a.d.e.-.e.b.3.e.0.b.5.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.2.b.1.4.9.0.4.9.4.e.6.3.2.a.5.c.b.8.d.c.3.4.8.9.b.1.6.0.f.6.f.0.0.0.0.0.0.0.0.!.0.0.0.0.3.8.c.e.2.7.6.6.b.0.3.b.c.e.b.1.2.8.d.3.b.a.9.5.0.9.3.3.c.2.e.d.d.8.6.6.9.b.8.1.!.d.F.6.6.D.K.Q.P.7.u...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD9D.tmp.dmp

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Mini DuMP crash report, 16 streams, Fri Dec 20 20:17:15 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):644200
                                      Entropy (8bit):3.0097822171662902
                                      Encrypted:false
                                      SSDEEP:3072:nbKLhXyWojPxvF9A8G/n6Lea1CCq5u/m3+vjODLKf8I9RT4sGXA6cSlPIei:eLhCWmJbA8G/b4qQ/m3Q6vKlT6O9
                                      MD5:C74AD2247B20A91A8FB72CC1AE5F931F
                                      SHA1:B18CE7CA1FE207FDD8F7EF3CDD61275881CA0265
                                      SHA-256:1B3D4FF6D2F283EDFC49842B84D7D38F6F3B3982D34BAE35E866306112580776
                                      SHA-512:2065CADEF4B295A0D8DDEB758E439402421F695FB0706EE8F8BB5B03B78349626A6CC6022F78C194FF0D243C758E281129F84C66829F504282DC3B2E921616C3
                                      Malicious:false
                                      Reputation:low
                                      Preview:MDMP..a..... .........eg............$............(..D.......<....3...........4......TK..............l.......8...........T............j...i...........F..........xH..............................................................................eJ.......I......Lw......................T...........j.eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE203.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):9298
                                      Entropy (8bit):3.7022674849656227
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJ9yZ9LuW6YNgMPgmfk4jv4ttpr589bsmEfLkm:R6lXJIZ9b6YqMPgmfkC4tms9fN
                                      MD5:3EB01D242DE895F30EE6FFE2312D5B5F
                                      SHA1:8FBE4E7336B9E67515D2BE3D652DDF87459AE8A1
                                      SHA-256:E7D36EB79B63C4310BDF099BF07F64CECBE3ED43C63DDEA364896836BEF5777F
                                      SHA-512:C2029DBE866EC25C4D43CB7C77630B07C29B059E2B798A15DEC69AD08A915E473CFB71E9C1683FDDF96C056C73F487E648BB3D06F3D78FDD1281E451480A110C
                                      Malicious:false
                                      Reputation:low
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.9.6.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE233.tmp.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4936
                                      Entropy (8bit):4.487484808619887
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsEJg771I9o7WpW8VYZYm8M4J3SFZjyq8vRnD4tyzzI7d:uIjfCI7fK7VtJeW54tyzzI7d
                                      MD5:D3AB294EFE057312C9E6DA0E492A66D3
                                      SHA1:39E971B95FAD40DC428D0550345EE045865A0D3E
                                      SHA-256:DCCB4757F22B93B9FB6E28CB2CF6E964D21638F4E7BDB66FF511186AEA1482C1
                                      SHA-512:19FEFDDFDD7D578D892338D2EAB3937DD84012C8119BDA2F58350A1053533991E3E473EE09FADF5788A265C89DA509773E8AF2ADA50EBE1B64E2A673965B1BCE
                                      Malicious:false
                                      Reputation:low
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="640039" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                      Download File
                                      Process:C:\Users\user\Desktop\dF66DKQP7u.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 17:16:16 2024, mtime=Fri Dec 20 17:16:16 2024, atime=Fri Dec 20 17:16:16 2024, length=82944, window=hide
                                      Category:dropped
                                      Size (bytes):768
                                      Entropy (8bit):5.0992680990941315
                                      Encrypted:false
                                      SSDEEP:12:81lE24eyN+2ChHi1Y//uvLxijA6NHkfLu7pJC7pJzBmV:8v+eL2E9ExeApDutJCtJtm
                                      MD5:F435E9808ECFEFAA41C75ECB09BDB33C
                                      SHA1:C8D5959293F5F43BB316C2BF4505E07D01714DDF
                                      SHA-256:CFE1C12313B90986FD39BFFB99AB1780AD5A048CFC8BA878DED2CCD0241DE493
                                      SHA-512:B5C4FC2EDEA41F6331EBD1762A46478536510FAFC376B2A18C50739881E5DE1210567690C069D412EA1C50702CE78696366B681B9E52DF0C6F1AD939B29280F6
                                      Malicious:false
                                      Reputation:low
                                      Preview:L..................F.... ....m.B.S...m.B.S...m.B.S...D......................v.:..DG..Yr?.D..U..k0.&...&......Qg.*_...'.G:.S.....B.S......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y............................3*N.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW.=.Y................................R.o.a.m.i.n.g.....b.2..D...Y.. .XClient.exe.H......Y...Y............................i...X.C.l.i.e.n.t...e.x.e.......]...............-.......\..............u.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......061544...........hT..CrF.f4... .:../Tc...,......hT..CrF.f4... .:../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                      C:\Users\user\AppData\Roaming\XClient.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\dF66DKQP7u.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):82944
                                      Entropy (8bit):5.926491924183027
                                      Encrypted:false
                                      SSDEEP:1536:UrSseDP3YhBZ2qwKxW459FproMgb3+VntDREWDESdKYdWzO/QEKJSj5BWrmpm:UrKDfYhBE/up0vbOV16WYSSO/xSSVfpm
                                      MD5:00ABA1719EC22A25A96ACFA88DF5AE61
                                      SHA1:38CE2766B03BCEB128D3BA950933C2EDD8669B81
                                      SHA-256:160C5E731842E66B88EF13597BC948285FABF82539CD09CC7CCF0548233F6BD8
                                      SHA-512:C18BA8086BFBE3E79CEEA59599C434BCB5558D43BAB25ABDBCC2B2CDD48B2497D6BBC47A94B360362AF3F49D7D19D2236ADE5D991E7A321858B7D30A54223DB7
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\XClient.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 79%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^dg.................:...........Y... ...`....@.. ....................................@.................................8Y..S....`............................................................................... ............... ..H............text....9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................pY......H........`..........&.....................................................(....*.r...p*. y.".*..(....*.r...p*. ..|.*.s.........s.........s.........s.........*.r...p*. .(T.*.r)..p*. .n..*.r}..p*. ..e.*.r...p*. S...*.r%..p*. ....*..((...*.rf..p*. ....*.r...p*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Q...*"(....+.*&(....&+.*.+5s`... .... .'..oa...(,...~....-.(_...(Q...~....ob...&.-.*.r...p*. ..F.*.r8..p*. *p{.*.r...p*. ..G.*.r...p*. .x!.*.r4..p*. ._.*.r...p*. ...*.r^..p*. J.

                                      C:\Windows\appcompat\Programs\Amcache.hve

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.416775866261377
                                      Encrypted:false
                                      SSDEEP:6144:9cifpi6ceLPL9skLmb0m6SWSPtaJG8nAgex285i2MMhA20X4WABlGuNM5+:Ki586SWIZBk2MM6AFBqo
                                      MD5:C182F3CBB80F3E6B06B68D7770E3191F
                                      SHA1:A69B39F7455BE3166AF7783CFEE092958528B9B9
                                      SHA-256:92DC72F6987356C26E3D2AE9861308A7C5E0DE87CF402248EBD4F2A63FCCA21A
                                      SHA-512:B7F893815DADEB3DD44E162E1B650AAF15D77900FC62036E6335A426EBFF84416D75A5C48AF53021EE69CCB194DDF884F65DB29D2FD67BB8FE3D2C939C6EFBC7
                                      Malicious:false
                                      Reputation:low
                                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.".).S..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):5.926491924183027
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:dF66DKQP7u.exe
                                      File size:82'944 bytes
                                      MD5:00aba1719ec22a25a96acfa88df5ae61
                                      SHA1:38ce2766b03bceb128d3ba950933c2edd8669b81
                                      SHA256:160c5e731842e66b88ef13597bc948285fabf82539cd09cc7ccf0548233f6bd8
                                      SHA512:c18ba8086bfbe3e79ceea59599c434bcb5558d43bab25abdbcc2b2cdd48b2497d6bbc47a94b360362af3f49d7d19d2236ade5d991e7a321858b7d30a54223db7
                                      SSDEEP:1536:UrSseDP3YhBZ2qwKxW459FproMgb3+VntDREWDESdKYdWzO/QEKJSj5BWrmpm:UrKDfYhBE/up0vbOV16WYSSO/xSSVfpm
                                      TLSH:21837C1837F9452AF1FFAFB059E53657CF3AB7231803959F20D5028A1623A84CE51AF6
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^dg.................:...........Y... ...`....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x41598e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x67645E9E [Thu Dec 19 17:57:50 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x159380x53.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x4fe.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x139940x13a0008bca941c450289b6fcc35f9c8c354ecFalse0.6084792993630573data5.988621976825981IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x160000x4fe0x60092277417cb178cbfa62a59f5eb5585c4False0.3834635416666667data3.804932892847188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x180000xc0x200203e44b93d58ed0330b8297981d4d233False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x160a00x274data0.4570063694267516
                                      RT_MANIFEST0x163140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 20, 2024 19:16:15.613100052 CET4970880192.168.2.7208.95.112.1
                                      Dec 20, 2024 19:16:15.732748985 CET8049708208.95.112.1192.168.2.7
                                      Dec 20, 2024 19:16:15.732909918 CET4970880192.168.2.7208.95.112.1
                                      Dec 20, 2024 19:16:15.733885050 CET4970880192.168.2.7208.95.112.1
                                      Dec 20, 2024 19:16:15.853379011 CET8049708208.95.112.1192.168.2.7
                                      Dec 20, 2024 19:16:16.828840017 CET8049708208.95.112.1192.168.2.7
                                      Dec 20, 2024 19:16:16.869937897 CET4970880192.168.2.7208.95.112.1
                                      Dec 20, 2024 19:16:18.152662992 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:18.152687073 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:18.152990103 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:18.166218996 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:18.166234016 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:19.417318106 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:19.417392969 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:19.423896074 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:19.423913002 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:19.424316883 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:19.463648081 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:19.669945002 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:19.715332031 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:20.375268936 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:20.375449896 CET44349714104.20.3.235192.168.2.7
                                      Dec 20, 2024 19:16:20.375540972 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:16:20.391968966 CET49714443192.168.2.7104.20.3.235
                                      Dec 20, 2024 19:17:28.505672932 CET8049708208.95.112.1192.168.2.7
                                      Dec 20, 2024 19:17:28.505733967 CET4970880192.168.2.7208.95.112.1
                                      Dec 20, 2024 19:17:55.119057894 CET4970880192.168.2.7208.95.112.1

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 20, 2024 19:16:15.466017962 CET6162053192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:15.607184887 CET53616201.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:18.014453888 CET4915853192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:18.151693106 CET53491581.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:20.540537119 CET5702553192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:20.767623901 CET53570251.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:25.574620008 CET5130153192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:25.714663982 CET53513011.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:30.403676987 CET4950853192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:30.547239065 CET53495081.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:34.777425051 CET4974353192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:34.915695906 CET53497431.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:39.840158939 CET5984253192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:39.977205992 CET53598421.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:47.636847973 CET5539753192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:47.774509907 CET53553971.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:54.637188911 CET5101253192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:54.774702072 CET53510121.1.1.1192.168.2.7
                                      Dec 20, 2024 19:16:58.761902094 CET6256953192.168.2.71.1.1.1
                                      Dec 20, 2024 19:16:58.905091047 CET53625691.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:04.574527979 CET5655753192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:04.712693930 CET53565571.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:09.746311903 CET5014353192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:09.883256912 CET53501431.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:14.652452946 CET5729053192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:14.790420055 CET53572901.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:19.199327946 CET5209253192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:19.337542057 CET53520921.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:23.762248039 CET5773453192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:23.901021957 CET53577341.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:30.077672958 CET5704953192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:30.217950106 CET53570491.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:36.530098915 CET6553553192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:36.667891979 CET53655351.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:44.007296085 CET6076953192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:44.144066095 CET53607691.1.1.1192.168.2.7
                                      Dec 20, 2024 19:17:48.761353016 CET5891153192.168.2.71.1.1.1
                                      Dec 20, 2024 19:17:48.902152061 CET53589111.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 20, 2024 19:16:15.466017962 CET192.168.2.71.1.1.10xdb10Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:18.014453888 CET192.168.2.71.1.1.10x84e8Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:20.540537119 CET192.168.2.71.1.1.10xfc74Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:25.574620008 CET192.168.2.71.1.1.10x4b1eStandard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:30.403676987 CET192.168.2.71.1.1.10xda8Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:34.777425051 CET192.168.2.71.1.1.10xa502Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:39.840158939 CET192.168.2.71.1.1.10x8427Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:47.636847973 CET192.168.2.71.1.1.10xdeb4Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:54.637188911 CET192.168.2.71.1.1.10xba52Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:58.761902094 CET192.168.2.71.1.1.10x28e7Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:04.574527979 CET192.168.2.71.1.1.10xb0e7Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:09.746311903 CET192.168.2.71.1.1.10xdff4Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:14.652452946 CET192.168.2.71.1.1.10x84bcStandard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:19.199327946 CET192.168.2.71.1.1.10xaca3Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:23.762248039 CET192.168.2.71.1.1.10x74eStandard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:30.077672958 CET192.168.2.71.1.1.10xccfcStandard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:36.530098915 CET192.168.2.71.1.1.10x9cc2Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:44.007296085 CET192.168.2.71.1.1.10xadfcStandard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:48.761353016 CET192.168.2.71.1.1.10xaa47Standard query (0)zebby-22086.portmap.hostA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 20, 2024 19:16:15.607184887 CET1.1.1.1192.168.2.70xdb10No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:18.151693106 CET1.1.1.1192.168.2.70x84e8No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:18.151693106 CET1.1.1.1192.168.2.70x84e8No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:18.151693106 CET1.1.1.1192.168.2.70x84e8No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:20.767623901 CET1.1.1.1192.168.2.70xfc74Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:25.714663982 CET1.1.1.1192.168.2.70x4b1eName error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:30.547239065 CET1.1.1.1192.168.2.70xda8Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:34.915695906 CET1.1.1.1192.168.2.70xa502Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:39.977205992 CET1.1.1.1192.168.2.70x8427Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:47.774509907 CET1.1.1.1192.168.2.70xdeb4Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:54.774702072 CET1.1.1.1192.168.2.70xba52Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:16:58.905091047 CET1.1.1.1192.168.2.70x28e7Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:04.712693930 CET1.1.1.1192.168.2.70xb0e7Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:09.883256912 CET1.1.1.1192.168.2.70xdff4Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:14.790420055 CET1.1.1.1192.168.2.70x84bcName error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:19.337542057 CET1.1.1.1192.168.2.70xaca3Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:23.901021957 CET1.1.1.1192.168.2.70x74eName error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:30.217950106 CET1.1.1.1192.168.2.70xccfcName error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:36.667891979 CET1.1.1.1192.168.2.70x9cc2Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:44.144066095 CET1.1.1.1192.168.2.70xadfcName error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false
                                      Dec 20, 2024 19:17:48.902152061 CET1.1.1.1192.168.2.70xaa47Name error (3)zebby-22086.portmap.hostnonenoneA (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • pastebin.com
                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749708208.95.112.1807296C:\Users\user\Desktop\dF66DKQP7u.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 20, 2024 19:16:15.733885050 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Dec 20, 2024 19:16:16.828840017 CET175INHTTP/1.1 200 OK
                                      Date: Fri, 20 Dec 2024 18:16:15 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749714104.20.3.2354437296C:\Users\user\Desktop\dF66DKQP7u.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-20 18:16:19 UTC74OUTGET /raw/b9mBR3Jm HTTP/1.1
                                      Host: pastebin.com
                                      Connection: Keep-Alive
                                      2024-12-20 18:16:20 UTC391INHTTP/1.1 200 OK
                                      Date: Fri, 20 Dec 2024 18:16:20 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      x-frame-options: DENY
                                      x-content-type-options: nosniff
                                      x-xss-protection: 1;mode=block
                                      cache-control: public, max-age=1801
                                      CF-Cache-Status: EXPIRED
                                      Last-Modified: Fri, 20 Dec 2024 18:16:20 GMT
                                      Server: cloudflare
                                      CF-RAY: 8f519f73fd4cf799-EWR
                                      2024-12-20 18:16:20 UTC36INData Raw: 31 65 0d 0a 7a 65 62 62 79 2d 32 32 30 38 36 2e 70 6f 72 74 6d 61 70 2e 68 6f 73 74 3a 32 32 30 38 36 0d 0a
                                      Data Ascii: 1ezebby-22086.portmap.host:22086
                                      2024-12-20 18:16:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:1
                                      Start time:13:16:10
                                      Start date:20/12/2024
                                      Path:C:\Users\user\Desktop\dF66DKQP7u.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\dF66DKQP7u.exe"
                                      Imagebase:0x290000
                                      File size:82'944 bytes
                                      MD5 hash:00ABA1719EC22A25A96ACFA88DF5AE61
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1321059987.0000000000292000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2348727892.0000000002661000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:15:17:14
                                      Start date:20/12/2024
                                      Path:C:\Windows\System32\WerFault.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7296 -s 2988
                                      Imagebase:0x7ff65b550000
                                      File size:570'736 bytes
                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:19.8%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:33.3%
                                        Total number of Nodes:9
                                        Total number of Limit Nodes:0

                                        Executed Functions

                                        Function 00007FFAAC341028 Relevance: 6.9, Strings: 5, Instructions: 655COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 7ffaac341028-7ffaac341049 4 7ffaac34104b-7ffaac34105e 0->4 5 7ffaac34107f-7ffaac3410d9 0->5 13 7ffaac3410db-7ffaac34110d 5->13 14 7ffaac34110e-7ffaac341149 5->14 13->14 19 7ffaac34114b-7ffaac34117d 14->19 20 7ffaac34117e-7ffaac3411be 14->20 19->20 27 7ffaac3411c0 20->27 28 7ffaac3411c5-7ffaac3411c6 20->28 27->28 29 7ffaac3411cc-7ffaac3411ce 28->29 30 7ffaac3411c8 28->30 31 7ffaac3411d0 29->31 32 7ffaac3411d3-7ffaac3411d6 29->32 30->29 31->32 33 7ffaac3411da-7ffaac341220 32->33 34 7ffaac3411d8 32->34 40 7ffaac3418e0-7ffaac34192c 33->40 41 7ffaac341226-7ffaac341332 call 7ffaac340638 * 7 call 7ffaac340a38 33->41 34->33 79 7ffaac34133c-7ffaac3413ae call 7ffaac3404b8 call 7ffaac340358 call 7ffaac340368 41->79 80 7ffaac341334-7ffaac34133b 41->80 93 7ffaac3413c1-7ffaac3413d1 79->93 94 7ffaac3413b0-7ffaac3413ba 79->94 80->79 97 7ffaac3413d3-7ffaac3413f2 call 7ffaac340358 93->97 98 7ffaac3413f9-7ffaac341419 93->98 94->93 97->98 104 7ffaac34141b-7ffaac341425 call 7ffaac340378 98->104 105 7ffaac34142a-7ffaac34150c 98->105 104->105 119 7ffaac34155a-7ffaac34158d 105->119 120 7ffaac34150e-7ffaac341541 105->120 130 7ffaac34158f-7ffaac3415b0 119->130 131 7ffaac3415b2-7ffaac3415e2 119->131 120->119 127 7ffaac341543-7ffaac341550 120->127 127->119 132 7ffaac341552-7ffaac341558 127->132 134 7ffaac3415ea-7ffaac341621 130->134 131->134 132->119 140 7ffaac341623-7ffaac341644 134->140 141 7ffaac341646-7ffaac341676 134->141 143 7ffaac34167e-7ffaac341693 140->143 141->143 143->40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6$6$6$6$"r
                                        • API String ID: 0-3979851792
                                        • Opcode ID: 2afbeb0db32afe946808a66f59f71478606371b269eb549ed632e71951a5b6cc
                                        • Instruction ID: 95086d951e0c38165248c784fca5792d01ec74c857fb61d1eb3ef05e2b5b6a43
                                        • Opcode Fuzzy Hash: 2afbeb0db32afe946808a66f59f71478606371b269eb549ed632e71951a5b6cc
                                        • Instruction Fuzzy Hash: 87123862B19A164BE754FB78D465AF9B791FF89711F04847AE00EC32E2CE28AC4583D1
                                        Function 00007FFAAC341C51 Relevance: 5.4, Strings: 4, Instructions: 394COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6$6$6$6
                                        • API String ID: 0-3214027553
                                        • Opcode ID: 17691f5c7882f6335f593d6fc4ff7552c0a231560b2f2e123247c040dc4c0639
                                        • Instruction ID: 4cf7c4ede5ffc0bc0ecfa05c43e552a9f4cb5ed62066ba42448768ccebe30fab
                                        • Opcode Fuzzy Hash: 17691f5c7882f6335f593d6fc4ff7552c0a231560b2f2e123247c040dc4c0639
                                        • Instruction Fuzzy Hash: 2FC1A361B1DE098FFB88E738C455AB9B6D2EF99302F048179D14EC32D2DE28E8464385
                                        Function 00007FFAAC345D96 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 328 7ffaac345d96-7ffaac345da3 329 7ffaac345dae-7ffaac345e77 328->329 330 7ffaac345da5-7ffaac345dad 328->330 335 7ffaac345ee3 329->335 336 7ffaac345e79-7ffaac345e82 329->336 330->329 338 7ffaac345ee5-7ffaac345f0a 335->338 336->335 337 7ffaac345e84-7ffaac345e90 336->337 339 7ffaac345e92-7ffaac345ea4 337->339 340 7ffaac345ec9-7ffaac345ee1 337->340 345 7ffaac345f0c-7ffaac345f15 338->345 346 7ffaac345f76 338->346 341 7ffaac345ea8-7ffaac345ebb 339->341 342 7ffaac345ea6 339->342 340->338 341->341 344 7ffaac345ebd-7ffaac345ec5 341->344 342->341 344->340 345->346 347 7ffaac345f17-7ffaac345f23 345->347 348 7ffaac345f78-7ffaac346020 346->348 349 7ffaac345f5c-7ffaac345f74 347->349 350 7ffaac345f25-7ffaac345f37 347->350 359 7ffaac34608e 348->359 360 7ffaac346022-7ffaac34602c 348->360 349->348 351 7ffaac345f3b-7ffaac345f4e 350->351 352 7ffaac345f39 350->352 351->351 354 7ffaac345f50-7ffaac345f58 351->354 352->351 354->349 362 7ffaac346090-7ffaac3460b9 359->362 360->359 361 7ffaac34602e-7ffaac34603b 360->361 363 7ffaac34603d-7ffaac34604f 361->363 364 7ffaac346074-7ffaac34608c 361->364 369 7ffaac3460bb-7ffaac3460c6 362->369 370 7ffaac346123 362->370 365 7ffaac346051 363->365 366 7ffaac346053-7ffaac346066 363->366 364->362 365->366 366->366 368 7ffaac346068-7ffaac346070 366->368 368->364 369->370 372 7ffaac3460c8-7ffaac3460d6 369->372 371 7ffaac346125-7ffaac3461b6 370->371 380 7ffaac3461bc-7ffaac3461cb 371->380 373 7ffaac34610f-7ffaac346121 372->373 374 7ffaac3460d8-7ffaac3460ea 372->374 373->371 376 7ffaac3460ec 374->376 377 7ffaac3460ee-7ffaac346101 374->377 376->377 377->377 378 7ffaac346103-7ffaac34610b 377->378 378->373 381 7ffaac3461cd 380->381 382 7ffaac3461d3-7ffaac346238 call 7ffaac346254 380->382 381->382 390 7ffaac34623a 382->390 391 7ffaac34623f-7ffaac346253 382->391 390->391
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: MT}$MT}
                                        • API String ID: 0-4118850171
                                        • Opcode ID: 345b57d2ea25aa40b923c810ddda14255e43c842b66e69500742d19f0e340aa7
                                        • Instruction ID: bbf828faf7bee772e969d5cc3326d30e54516af04dd5f9be6d01b625f18072f4
                                        • Opcode Fuzzy Hash: 345b57d2ea25aa40b923c810ddda14255e43c842b66e69500742d19f0e340aa7
                                        • Instruction Fuzzy Hash: 1DF1A37090DA4D8FEBA8DF28C855BE977E1FF55311F04826AE84DC7291CB34D9448B82
                                        Function 00007FFAAC346B42 Relevance: 3.0, Strings: 2, Instructions: 457COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 392 7ffaac346b42-7ffaac346b4f 393 7ffaac346b5a-7ffaac346c27 392->393 394 7ffaac346b51-7ffaac346b59 392->394 399 7ffaac346c93 393->399 400 7ffaac346c29-7ffaac346c32 393->400 394->393 401 7ffaac346c95-7ffaac346cba 399->401 400->399 402 7ffaac346c34-7ffaac346c40 400->402 408 7ffaac346cbc-7ffaac346cc5 401->408 409 7ffaac346d26 401->409 403 7ffaac346c42-7ffaac346c54 402->403 404 7ffaac346c79-7ffaac346c91 402->404 406 7ffaac346c58-7ffaac346c6b 403->406 407 7ffaac346c56 403->407 404->401 406->406 410 7ffaac346c6d-7ffaac346c75 406->410 407->406 408->409 411 7ffaac346cc7-7ffaac346cd3 408->411 412 7ffaac346d28-7ffaac346d4d 409->412 410->404 413 7ffaac346d0c-7ffaac346d24 411->413 414 7ffaac346cd5-7ffaac346ce7 411->414 419 7ffaac346dbb 412->419 420 7ffaac346d4f-7ffaac346d59 412->420 413->412 415 7ffaac346ceb-7ffaac346cfe 414->415 416 7ffaac346ce9 414->416 415->415 418 7ffaac346d00-7ffaac346d08 415->418 416->415 418->413 422 7ffaac346dbd-7ffaac346deb 419->422 420->419 421 7ffaac346d5b-7ffaac346d68 420->421 423 7ffaac346d6a-7ffaac346d7c 421->423 424 7ffaac346da1-7ffaac346db9 421->424 429 7ffaac346ded-7ffaac346df8 422->429 430 7ffaac346e5b 422->430 425 7ffaac346d80-7ffaac346d93 423->425 426 7ffaac346d7e 423->426 424->422 425->425 428 7ffaac346d95-7ffaac346d9d 425->428 426->425 428->424 429->430 432 7ffaac346dfa-7ffaac346e08 429->432 431 7ffaac346e5d-7ffaac346f35 430->431 442 7ffaac346f3b-7ffaac346f4a 431->442 433 7ffaac346e0a-7ffaac346e1c 432->433 434 7ffaac346e41-7ffaac346e59 432->434 436 7ffaac346e20-7ffaac346e33 433->436 437 7ffaac346e1e 433->437 434->431 436->436 439 7ffaac346e35-7ffaac346e3d 436->439 437->436 439->434 443 7ffaac346f4c 442->443 444 7ffaac346f52-7ffaac346fb4 call 7ffaac346fd0 442->444 443->444 452 7ffaac346fbb-7ffaac346fcf 444->452 453 7ffaac346fb6 444->453 453->452
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: MT}$MT}
                                        • API String ID: 0-4118850171
                                        • Opcode ID: 4b3ea20599c580faefddd6e675f6688e2591f40ed323edaebd58c68c3b8b9ece
                                        • Instruction ID: 7f53da9ef55de9a351613b5ade7daa5c1d9f72604f8505d82aad21aef55b27a4
                                        • Opcode Fuzzy Hash: 4b3ea20599c580faefddd6e675f6688e2591f40ed323edaebd58c68c3b8b9ece
                                        • Instruction Fuzzy Hash: 2AE1A230909A4E8FEBA8DF28C856BE977E1EF55311F04826ED84DC7291DE74E9448BC1
                                        Function 00007FFAAC347341 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 665 7ffaac347341-7ffaac3473fd CheckRemoteDebuggerPresent 668 7ffaac3473ff 665->668 669 7ffaac347405-7ffaac347448 665->669 668->669
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: fe0de3052c0ebdf732b3961d0ae41f61eab490302796b0a185c089edb1606d14
                                        • Instruction ID: f8f90b305028f3cfa1155c2ef65a35c6bd7e524a84d05bc795d589f2c10afe0f
                                        • Opcode Fuzzy Hash: fe0de3052c0ebdf732b3961d0ae41f61eab490302796b0a185c089edb1606d14
                                        • Instruction Fuzzy Hash: 1131353190875C8FCB18DF58C846BE97BE0FF66321F05426BD489D7252DB34A806CB91
                                        Function 00007FFAAC34962D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 644 7ffaac34962d-7ffaac349710 RtlSetProcessIsCritical 648 7ffaac349718-7ffaac34974d 644->648 649 7ffaac349712 644->649 649->648
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: b9f865d570b8235b3c8280d8ff040c72b12f5ec55b001810886ad5c87c899df5
                                        • Instruction ID: ae6c8a7ca6292f7ccc72045e22e8c318dec9e4ebd9e1aa4e4969114fefd77f5e
                                        • Opcode Fuzzy Hash: b9f865d570b8235b3c8280d8ff040c72b12f5ec55b001810886ad5c87c899df5
                                        • Instruction Fuzzy Hash: 2241C33180C7598FD719DFA8D845AE9BBF0FF56311F04416EE08AC3692CB64A846CB91
                                        Function 00007FFAAC349B58 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 651 7ffaac349b58-7ffaac349b5f 652 7ffaac349b61-7ffaac349b69 651->652 653 7ffaac349b6a-7ffaac349bdd 651->653 652->653 657 7ffaac349c69-7ffaac349c6d 653->657 658 7ffaac349be3-7ffaac349bf0 653->658 659 7ffaac349bf2-7ffaac349c2f SetWindowsHookExW 657->659 658->659 661 7ffaac349c31 659->661 662 7ffaac349c37-7ffaac349c68 659->662 661->662
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 09d637d3a765b6e48f04936a5515f9512ff29b66fcf9b4f3b75f7824f6b00ddc
                                        • Instruction ID: 085427a85f0bdd855f242f7652be16b62c28d98b6a4277497d63415597049336
                                        • Opcode Fuzzy Hash: 09d637d3a765b6e48f04936a5515f9512ff29b66fcf9b4f3b75f7824f6b00ddc
                                        • Instruction Fuzzy Hash: B2310B7191CA4D8FDB18DB6CD846AF9BBE1EB59321F00427ED04EC3292CE64A816C7C1
                                        Function 00007FFAAC348EAC Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 671 7ffaac348eac-7ffaac349bdd 675 7ffaac349c69-7ffaac349c6d 671->675 676 7ffaac349be3-7ffaac349bf0 671->676 677 7ffaac349bf2-7ffaac349c2f SetWindowsHookExW 675->677 676->677 679 7ffaac349c31 677->679 680 7ffaac349c37-7ffaac349c68 677->680 679->680
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.2354688247.00007FFAAC340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC340000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaac340000_dF66DKQP7u.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: fe76df7f31ea64ce1ec98b2a7eeb8d317b1298a23bbd7c8c793bb744897c8618
                                        • Instruction ID: e3894a78b504ace8e87c378d7d3dc9f72afc3ff548fbdf9a70c537de16eaaa4a
                                        • Opcode Fuzzy Hash: fe76df7f31ea64ce1ec98b2a7eeb8d317b1298a23bbd7c8c793bb744897c8618
                                        • Instruction Fuzzy Hash: EE31C571A1CE1D8FDB58EF5CD846AB9B7E5EB59321F10423ED00ED3252DA60A81687C1