Windows Analysis Report
flsqHAiH9d8PzK6.exe

Overview

General Information

Sample name:	flsqHAiH9d8PzK6.exe
Analysis ID:	1649408
MD5:	c307b3da376fd60f99f76c7f41ea8553
SHA1:	dfe0b5abbc9bab383ce3c5d905f5d5403bac47b3
SHA256:	7d36b2b2679349ee274760618e1d5c10b0ade266a7e98102ec7afd04ad520ed3
Tags:	exeuser-BastianHein
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: flsqHAiH9d8PzK6.exe

Avira: detected

Antivirus detection for URL or domain

Source: term-infrastructure.gl.at.ply.gg

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Avira: detection malicious, Label: TR/Dropper.Gen7

Found malware configuration

Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["term-infrastructure.gl.at.ply.gg"], "Port": 11486, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\checker.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: flsqHAiH9d8PzK6.exe	Virustotal: Detection: 44%			Perma Link
Source: flsqHAiH9d8PzK6.exe	ReversingLabs: Detection: 58%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: term-infrastructure.gl.at.ply.gg
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 11486
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %Temp%
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: checker.exe

Uses 32bit PE files

Source: flsqHAiH9d8PzK6.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: flsqHAiH9d8PzK6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49743 -> 147.185.221.26:11486

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: term-infrastructure.gl.at.ply.gg

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 147.185.221.26:11486

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.26 147.185.221.26

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: term-infrastructure.gl.at.ply.gg

Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2547039696.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_01280C61	0_2_01280C61
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_01280C70	0_2_01280C70
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_0128D3A0	0_2_0128D3A0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_0128EEF0	0_2_0128EEF0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C1FB0	0_2_054C1FB0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C4230	0_2_054C4230
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C16E0	0_2_054C16E0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C41E4	0_2_054C41E4
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C1398	0_2_054C1398
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D87CE0	0_2_05D87CE0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D88710	0_2_05D88710
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D8ECE0	0_2_05D8ECE0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F87F8	1_2_029F87F8
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F67F8	1_2_029F67F8
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F5F28	1_2_029F5F28
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F5BE0	1_2_029F5BE0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F1548	1_2_029F1548
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_01940C70	5_2_01940C70
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_01940C61	5_2_01940C61
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0194D3A0	5_2_0194D3A0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0194EEF0	5_2_0194EEF0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_062516E0	5_2_062516E0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06251FB0	5_2_06251FB0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06251398	5_2_06251398
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0631BA80	5_2_0631BA80
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06318710	5_2_06318710
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0631ECE0	5_2_0631ECE0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_01560C70	9_2_01560C70
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_01560C61	9_2_01560C61
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_0156D3A0	9_2_0156D3A0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_0156EEF0	9_2_0156EEF0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05D41FB0	9_2_05D41FB0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05D416E0	9_2_05D416E0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05D41398	9_2_05D41398
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E08710	9_2_05E08710
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E0ECE0	9_2_05E0ECE0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0269EEF0	10_2_0269EEF0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0269D3A0	10_2_0269D3A0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_02690C61	10_2_02690C61
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_02690C70	10_2_02690C70
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05771FB0	10_2_05771FB0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_057716E0	10_2_057716E0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05771398	10_2_05771398
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05838710	10_2_05838710
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0583010D	10_2_0583010D
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_058300AE	10_2_058300AE
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_058300C9	10_2_058300C9
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0583ECE0	10_2_0583ECE0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05830040	10_2_05830040
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010A0C61	13_2_010A0C61
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010A0C70	13_2_010A0C70
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010AD3A0	13_2_010AD3A0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010AEEF0	13_2_010AEEF0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A91FB0	13_2_05A91FB0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A916E0	13_2_05A916E0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A91398	13_2_05A91398
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B58710	13_2_05B58710
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B5ECE0	13_2_05B5ECE0

One or more processes crash

Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8688 -s 1144

Sample file is different than original file name gathered from version info

Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1351847039.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000005.00000002.1557742746.000000000175E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000005.00000002.1564775056.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 0000000A.00000002.1724367910.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs flsqHAiH9d8PzK6.exe

Uses 32bit PE files

Source: flsqHAiH9d8PzK6.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: flsqHAiH9d8PzK6.exe, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: flsqHAiH9d8PzK6.exe, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: flsqHAiH9d8PzK6.exe, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Settings.cs	Base64 encoded string: 'LxcpSpqRNi6I7oxLRlgI/erWeYTXd121tUvHVs8bFslmsldqzb0wCS0nbQni5RZm'
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Settings.cs	Base64 encoded string: 'LxcpSpqRNi6I7oxLRlgI/erWeYTXd121tUvHVs8bFslmsldqzb0wCS0nbQni5RZm'
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Settings.cs	Base64 encoded string: 'LxcpSpqRNi6I7oxLRlgI/erWeYTXd121tUvHVs8bFslmsldqzb0wCS0nbQni5RZm'

Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@1/1

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4480
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Mutant created: \Sessions\1\BaseNamedObjects\FpTU3XoyL2yXAvby
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8688

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File created: C:\Users\user\AppData\Local\Temp\checker.exe

Jump to behavior

Source: flsqHAiH9d8PzK6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: flsqHAiH9d8PzK6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: flsqHAiH9d8PzK6.exe	Virustotal: Detection: 44%
Source: flsqHAiH9d8PzK6.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File read: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe "C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe"
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8688 -s 1144
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\checker.exe "C:\Users\user\AppData\Local\Temp\checker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe "C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe"
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1112
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\checker.exe "C:\Users\user\AppData\Local\Temp\checker.exe"
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"	Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: flsqHAiH9d8PzK6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: flsqHAiH9d8PzK6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: flsqHAiH9d8PzK6.exe

Static file information: File size 2979840 > 1048576

Source: flsqHAiH9d8PzK6.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x294e00

Source: flsqHAiH9d8PzK6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: flsqHAiH9d8PzK6.exe, -----------.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D83105 push ebx; iretd	0_2_05D8310A
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D834FA pushad ; retf	0_2_05D834FD
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D83CBE pushfd ; ret	0_2_05D83CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0631BA80 push es; retf	5_2_0631E5F8
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06313CBE pushfd ; ret	5_2_06313CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_063134FA pushad ; retf	5_2_063134FD
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06313105 push ebx; iretd	5_2_0631310A
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E03105 push ebx; iretd	9_2_05E0310A
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E034FA pushad ; retf	9_2_05E034FD
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E03CBE pushfd ; ret	9_2_05E03CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05833105 push ebx; iretd	10_2_0583310A
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05833CBE pushfd ; ret	10_2_05833CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_058334FA pushad ; retf	10_2_058334FD
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010A13EF push ecx; iretd	13_2_010A13F0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A929F9 push cs; iretd	13_2_05A92A06
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A92738 push ds; iretd	13_2_05A92746
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A92760 push cs; iretd	13_2_05A9276E
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A92B50 push cs; iretd	13_2_05A92B5E
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A926FA push ds; iretd	13_2_05A92706
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A926D0 push ds; iretd	13_2_05A926DE
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B53105 push ebx; iretd	13_2_05B5310A
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B53CBE pushfd ; ret	13_2_05B53CC1
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B534FA pushad ; retf	13_2_05B534FD

Drops PE files

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File created: C:\Users\user\AppData\Local\Temp\checker.exe			Jump to dropped file
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checker			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666			Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checker	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checker	Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: checker.exe, 00000009.00000002.1624712284.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, checker.exe, 00000009.00000002.1627403463.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, flsqHAiH9d8PzK6.exe, 00000005.00000002.1564775056.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, checker.exe, 00000009.00000002.1627403463.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, flsqHAiH9d8PzK6.exe, 0000000A.00000002.1724367910.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Q SBIEDLL.DLLOLHELPERENTYZER

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 4BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 1940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 53A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 47E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 12D0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Window / User API: threadDelayed 3723			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Window / User API: threadDelayed 6126			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 8952	Thread sleep count: 187 > 30	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 8928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9096	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9096	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9108	Thread sleep count: 3723 > 30	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9108	Thread sleep count: 6126 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe TID: 6196	Thread sleep count: 212 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe TID: 8344	Thread sleep count: 239 > 30	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\checker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\checker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUALavmwarecVirtualBoxd106&91&80&92&125&85&85&23&93&85&8593&87&74&73&64
Source: checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2544794400.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware@\

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Code function: 0_2_054C2928 CheckRemoteDebuggerPresent,

0_2_054C2928

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Memory written: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\checker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\checker.exe VolumeInformation

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2544794400.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, flsqHAiH9d8PzK6.exe, 00000001.00000002.2544794400.0000000000D96000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: flsqHAiH9d8PzK6.exe, type: SAMPLE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.flsqHAiH9d8PzK6.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1371797489.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1293410990.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\checker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 8908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 9008, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: flsqHAiH9d8PzK6.exe, type: SAMPLE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.flsqHAiH9d8PzK6.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1371797489.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1293410990.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\checker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 8908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 9008, type: MEMORYSTR

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.26	term-infrastructure.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

Contacted Domains

Name	IP	Active
term-infrastructure.gl.at.ply.gg	147.185.221.26	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
term-infrastructure.gl.at.ply.gg	true	Avira URL Cloud: phishing	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: flsqHAiH9d8PzK6.exe

Avira: detected

Antivirus detection for URL or domain

Source: term-infrastructure.gl.at.ply.gg

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Avira: detection malicious, Label: TR/Dropper.Gen7
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Avira: detection malicious, Label: TR/Dropper.Gen7

Found malware configuration

Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\checker.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: flsqHAiH9d8PzK6.exe	Virustotal: Detection: 44%			Perma Link
Source: flsqHAiH9d8PzK6.exe	ReversingLabs: Detection: 58%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: term-infrastructure.gl.at.ply.gg
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 11486
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %Temp%
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String decryptor: checker.exe

Uses 32bit PE files

Source: flsqHAiH9d8PzK6.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: flsqHAiH9d8PzK6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49743 -> 147.185.221.26:11486

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: term-infrastructure.gl.at.ply.gg

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 147.185.221.26:11486

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 147.185.221.26 147.185.221.26

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: term-infrastructure.gl.at.ply.gg

Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2547039696.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_01280C61	0_2_01280C61
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_01280C70	0_2_01280C70
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_0128D3A0	0_2_0128D3A0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_0128EEF0	0_2_0128EEF0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C1FB0	0_2_054C1FB0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C4230	0_2_054C4230
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C16E0	0_2_054C16E0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C41E4	0_2_054C41E4
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_054C1398	0_2_054C1398
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D87CE0	0_2_05D87CE0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D88710	0_2_05D88710
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D8ECE0	0_2_05D8ECE0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F87F8	1_2_029F87F8
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F67F8	1_2_029F67F8
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F5F28	1_2_029F5F28
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F5BE0	1_2_029F5BE0
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 1_2_029F1548	1_2_029F1548
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_01940C70	5_2_01940C70
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_01940C61	5_2_01940C61
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0194D3A0	5_2_0194D3A0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0194EEF0	5_2_0194EEF0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_062516E0	5_2_062516E0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06251FB0	5_2_06251FB0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06251398	5_2_06251398
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0631BA80	5_2_0631BA80
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06318710	5_2_06318710
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0631ECE0	5_2_0631ECE0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_01560C70	9_2_01560C70
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_01560C61	9_2_01560C61
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_0156D3A0	9_2_0156D3A0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_0156EEF0	9_2_0156EEF0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05D41FB0	9_2_05D41FB0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05D416E0	9_2_05D416E0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05D41398	9_2_05D41398
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E08710	9_2_05E08710
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E0ECE0	9_2_05E0ECE0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0269EEF0	10_2_0269EEF0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0269D3A0	10_2_0269D3A0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_02690C61	10_2_02690C61
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_02690C70	10_2_02690C70
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05771FB0	10_2_05771FB0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_057716E0	10_2_057716E0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05771398	10_2_05771398
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05838710	10_2_05838710
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0583010D	10_2_0583010D
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_058300AE	10_2_058300AE
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_058300C9	10_2_058300C9
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_0583ECE0	10_2_0583ECE0
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05830040	10_2_05830040
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010A0C61	13_2_010A0C61
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010A0C70	13_2_010A0C70
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010AD3A0	13_2_010AD3A0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010AEEF0	13_2_010AEEF0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A91FB0	13_2_05A91FB0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A916E0	13_2_05A916E0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A91398	13_2_05A91398
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B58710	13_2_05B58710
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B5ECE0	13_2_05B5ECE0

One or more processes crash

Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8688 -s 1144

Sample file is different than original file name gathered from version info

Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1351847039.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000005.00000002.1557742746.000000000175E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 00000005.00000002.1564775056.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs flsqHAiH9d8PzK6.exe
Source: flsqHAiH9d8PzK6.exe, 0000000A.00000002.1724367910.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs flsqHAiH9d8PzK6.exe

Uses 32bit PE files

Source: flsqHAiH9d8PzK6.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: flsqHAiH9d8PzK6.exe, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: flsqHAiH9d8PzK6.exe, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: flsqHAiH9d8PzK6.exe, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Settings.cs	Base64 encoded string: 'LxcpSpqRNi6I7oxLRlgI/erWeYTXd121tUvHVs8bFslmsldqzb0wCS0nbQni5RZm'
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Settings.cs	Base64 encoded string: 'LxcpSpqRNi6I7oxLRlgI/erWeYTXd121tUvHVs8bFslmsldqzb0wCS0nbQni5RZm'
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Settings.cs	Base64 encoded string: 'LxcpSpqRNi6I7oxLRlgI/erWeYTXd121tUvHVs8bFslmsldqzb0wCS0nbQni5RZm'

Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/12@1/1

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4480
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Mutant created: \Sessions\1\BaseNamedObjects\FpTU3XoyL2yXAvby
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8688

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File created: C:\Users\user\AppData\Local\Temp\checker.exe

Jump to behavior

Source: flsqHAiH9d8PzK6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: flsqHAiH9d8PzK6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: flsqHAiH9d8PzK6.exe	Virustotal: Detection: 44%
Source: flsqHAiH9d8PzK6.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File read: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe "C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe"
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8688 -s 1144
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\checker.exe "C:\Users\user\AppData\Local\Temp\checker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe "C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe"
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1112
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\checker.exe "C:\Users\user\AppData\Local\Temp\checker.exe"
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"	Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: flsqHAiH9d8PzK6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: flsqHAiH9d8PzK6.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: flsqHAiH9d8PzK6.exe

Static file information: File size 2979840 > 1048576

Source: flsqHAiH9d8PzK6.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x294e00

Source: flsqHAiH9d8PzK6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER7AEB.tmp.dmp.12.dr, WER390F.tmp.dmp.8.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: flsqHAiH9d8PzK6.exe, -----------.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, -----------.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D83105 push ebx; iretd	0_2_05D8310A
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D834FA pushad ; retf	0_2_05D834FD
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Code function: 0_2_05D83CBE pushfd ; ret	0_2_05D83CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_0631BA80 push es; retf	5_2_0631E5F8
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06313CBE pushfd ; ret	5_2_06313CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_063134FA pushad ; retf	5_2_063134FD
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 5_2_06313105 push ebx; iretd	5_2_0631310A
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E03105 push ebx; iretd	9_2_05E0310A
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E034FA pushad ; retf	9_2_05E034FD
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 9_2_05E03CBE pushfd ; ret	9_2_05E03CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05833105 push ebx; iretd	10_2_0583310A
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_05833CBE pushfd ; ret	10_2_05833CC1
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Code function: 10_2_058334FA pushad ; retf	10_2_058334FD
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_010A13EF push ecx; iretd	13_2_010A13F0
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A929F9 push cs; iretd	13_2_05A92A06
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A92738 push ds; iretd	13_2_05A92746
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A92760 push cs; iretd	13_2_05A9276E
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A92B50 push cs; iretd	13_2_05A92B5E
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A926FA push ds; iretd	13_2_05A92706
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05A926D0 push ds; iretd	13_2_05A926DE
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B53105 push ebx; iretd	13_2_05B5310A
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B53CBE pushfd ; ret	13_2_05B53CC1
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Code function: 13_2_05B534FA pushad ; retf	13_2_05B534FD

Drops PE files

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File created: C:\Users\user\AppData\Local\Temp\checker.exe			Jump to dropped file
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File created: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checker			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666			Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checker	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run checker	Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: checker.exe, 00000009.00000002.1624712284.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, checker.exe, 00000009.00000002.1627403463.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: flsqHAiH9d8PzK6.exe, 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, flsqHAiH9d8PzK6.exe, 00000005.00000002.1564775056.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, checker.exe, 00000009.00000002.1627403463.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, flsqHAiH9d8PzK6.exe, 0000000A.00000002.1724367910.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Q SBIEDLL.DLLOLHELPERENTYZER

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Memory allocated: 4BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 1940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 53A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Memory allocated: 47E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 10A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Memory allocated: 12D0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Window / User API: threadDelayed 3723			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Window / User API: threadDelayed 6126			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 8952	Thread sleep count: 187 > 30	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 8928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9096	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9096	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9108	Thread sleep count: 3723 > 30	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe TID: 9108	Thread sleep count: 6126 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe TID: 6196	Thread sleep count: 212 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe TID: 8344	Thread sleep count: 239 > 30	Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\checker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\checker.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VIRTUALavmwarecVirtualBoxd106&91&80&92&125&85&85&23&93&85&8593&87&74&73&64
Source: checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: flsqHAiH9d8PzK6.exe, 00000001.00000002.2544794400.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: checker.exe, 0000000D.00000002.1790412616.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware@\

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Code function: 0_2_054C2928 CheckRemoteDebuggerPresent,

0_2_054C2928

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Memory written: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Process created: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe "C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\checker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	Queries volume information: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\checker.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\checker.exe VolumeInformation

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\flsqHAiH9d8PzK6.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: flsqHAiH9d8PzK6.exe, type: SAMPLE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.flsqHAiH9d8PzK6.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1371797489.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1293410990.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\checker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 8908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 9008, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: flsqHAiH9d8PzK6.exe, type: SAMPLE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.5b60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.flsqHAiH9d8PzK6.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1371797489.0000000005B60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1293410990.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\checker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.flsqHAiH9d8PzK6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35a1ae4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.35aa124.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.flsqHAiH9d8PzK6.exe.30fdb8c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2544268428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1352896146.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 8908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flsqHAiH9d8PzK6.exe PID: 9008, type: MEMORYSTR

ID:	1649408
Product:	CloudBasic
Start time:	18:47:48
Start date:	26.03.2025
Sample:	flsqHAiH9d8PzK6.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c307b3da376fd60f99f76c7f41ea8553
SHA1:	dfe0b5abbc9bab383ce3c5d905f5d5403bac47b3
SHA256:	7d36b2b2679349ee274760618e1d5c10b0ade266a7e98102ec7afd04ad520ed3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_flsqHAiH9d8PzK6._4a4933229d4ec7060e7844c8b3dbaa55ace66_4e956dbf_3141c4e9-eaee-4030-9bdb-a6304fa6d365\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7234FFD724DD6F6C57490D26AACF5C50	B256FC8732584F3C6A0F96AF4BAD4FF348DD86F6	1249D40AB9CD1FAD3C9039211D7A875534AA4C664CB521BC53961BF482B3C87A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_flsqHAiH9d8PzK6._4a4933229d4ec7060e7844c8b3dbaa55ace66_4e956dbf_4aad84fe-d5ff-4819-a478-fe1d1f77909f\Report.wer	Unknown	6C21C1B2703F0D590DF0F91BDAD65696	58CB854D520E71A10B669B3E4EB3450675093009	743BE0C265C7FE6CA2B4660E3F3B88FE5874EEB9094963BCC8272305C0D12281
C:\ProgramData\Microsoft\Windows\WER\Temp\WER390F.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Mar 26 17:49:04 2025, 0x1205a4 type	4ADF0096C2F9AF8A25EBE4D42831CD0F	048E01C4964619897FF88B36052B9F63102F706F	663730BB5A49CB651B63E0AFA889E10CD614D89C0E5E5CDF779E83D4C42E6D30
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A49.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	46D22F86ACB64F1C7C9A65BB78E4DB61	E4152311CF8878F64C2BF52D42C23D53FA5C6BDC	7B9EBDADAC107650B5BC06F297D7A15FADE0D779885BA1CB60F600320D17B7B4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A88.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5D70480BEA98EBDA95E77254DF30DD02	7B7AF15FD9C8B899F61D8FD3DEC3D25CBA5AD800	B60F651992A16F8A38A9518E00A4C5F5B09F4C0DBAF635E93E783DBE382A4E2D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AEB.tmp.dmp	Unknown	B54D698DD36038A1C69480DFA1D55F21	D7D203BE30AED6BFF713FFB63E16CD4CECFE6FC9	01BF4295433711A9F6422FD15E72815BB024F78CAD4CC1408FF617ED96668EBC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BD6.tmp.WERInternalMetadata.xml	Unknown	6E471735FEFE47F72FFC27698971E8A3	FF509E23509E11AF42D1E562BA5E2DB30F0F1B26	5D3DC5B7CCC8E5DB7E527F5133CC8587B36861D68CA6435A41122BCD49CA5027
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C35.tmp.xml	Unknown	71945D6794C10E70081730CD2B7C1598	8AE0500F2EEB84AED79D1597E01E1F7E36AE2817	6692CB7E5DFEA3C326AA68608FDD45150189DC523942A2A3FBEAA9D4AEC0D6C4
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\flsqHAiH9d8PzK6.exe.log	CSV text	5A42AAF6EED5DE763D78B81161E562E5	0BC3C9744F480E22AD27C7B9BEC85CB63C757CE0	54062224FE33D8E74A490BA90BC259AFB569F4867AC1946C722B22F7550D64BB
C:\Users\user\AppData\Local\Temp\checker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C307B3DA376FD60F99F76C7F41EA8553	DFE0B5ABBC9BAB383CE3C5D905F5D5403BAC47B3	7D36B2B2679349EE274760618E1D5C10B0ADE266A7E98102EC7AFD04AD520ED3
C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C307B3DA376FD60F99F76C7F41EA8553	DFE0B5ABBC9BAB383CE3C5D905F5D5403BAC47B3	7D36B2B2679349EE274760618E1D5C10B0ADE266A7E98102EC7AFD04AD520ED3
C:\Users\user\AppData\Local\flsqHAiH9d8PzK6.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
flsqHAiH9d8PzK6.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report flsqHAiH9d8PzK6.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
flsqHAiH9d8PzK6.exe

Malware Threat Intel
Provided by