Windows Analysis Report
kwlYObMOSn.exe

Overview

General Information

Sample name:	kwlYObMOSn.exe renamed because original name is a hash value
Original sample name:	3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e.exe
Analysis ID:	1561585
MD5:	f28a1fb54a5c3b2b4e4184e3dff4f50a
SHA1:	180878512f7cd7c75c87fff174203228de688d34
SHA256:	3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e
Tags:	exeuser-Chainskilabs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kwlYObMOSn.exe

Avira: detected

Antivirus detection for URL or domain

Source: Cactus-33152.portmap.host	Avira URL Cloud: Label: malware
Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Avira URL Cloud: Label: malware
Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Teams.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\XClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["Cactus-33152.portmap.host"], "Port": 33152, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Teams.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: kwlYObMOSn.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Teams.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XClient.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kwlYObMOSn.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: Cactus-33152.portmap.host
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: 33152
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: <123456789>
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: <Xwormmm>
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: XWorm V5.2
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: USB.exe
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: %AppData%
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: Teams.exe

Uses 32bit PE files

Source: kwlYObMOSn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: kwlYObMOSn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Numerics.pdb0D source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbpH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb 0 source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp, WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9337.tmp.dmp.14.dr
Source:	Binary string: m.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2547594514.000001E6EE236000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49850 -> 193.161.193.99:33152
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50028 -> 193.161.193.99:33152

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: Cactus-33152.portmap.host

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 193.161.193.99:33152

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.203.125 172.67.203.125
Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99
Source: Joe Sandbox View	IP Address: 128.116.119.3 128.116.119.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 172.67.203.125:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: getsolara.dev
Source: global traffic	DNS traffic detected: DNS query: Cactus-33152.portmap.host
Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: www.nodejs.org
Source: global traffic	DNS traffic detected: DNS query: nodejs.org

Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463/rpc?v=1
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:64632
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientsettings.roblox.com
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-term4-lhr2.roblox.com
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://getsolara.dev
Source: BootstrapperV1.23.exe.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68009A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4502717565.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800D2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800AA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://getsolara.dev/api/endpoint.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680013000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://getsolara.dev/asset/discord.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/pjseRvyK
Source: BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49710 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\XClient.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F52540	2_2_00007FF848F52540
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F46DB0	2_2_00007FF848F46DB0
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F44928	2_2_00007FF848F44928
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F21689	4_2_00007FF848F21689
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F284D2	4_2_00007FF848F284D2
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F27726	4_2_00007FF848F27726
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F20EFA	4_2_00007FF848F20EFA
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F21FC1	4_2_00007FF848F21FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F31689	10_2_00007FF848F31689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F30EFA	10_2_00007FF848F30EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F31FC1	10_2_00007FF848F31FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 11_2_00007FF848F01689	11_2_00007FF848F01689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 11_2_00007FF848F01FC1	11_2_00007FF848F01FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 11_2_00007FF848F00EFA	11_2_00007FF848F00EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F11689	17_2_00007FF848F11689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F10EFA	17_2_00007FF848F10EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F11FC1	17_2_00007FF848F11FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F31689	19_2_00007FF848F31689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F30EFA	19_2_00007FF848F30EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F31FC1	19_2_00007FF848F31FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F21689	20_2_00007FF848F21689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F20EFA	20_2_00007FF848F20EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F21FC1	20_2_00007FF848F21FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F21689	21_2_00007FF848F21689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F20EFA	21_2_00007FF848F20EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F21FC1	21_2_00007FF848F21FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F31689	22_2_00007FF848F31689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F30EFA	22_2_00007FF848F30EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F31FC1	22_2_00007FF848F31FC1

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe 8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3

One or more processes crash

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196

Sample file is different than original file name gathered from version info

Source: kwlYObMOSn.exe, 00000000.00000000.2042845470.0000000000DDE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXevo.exe4 vs kwlYObMOSn.exe
Source: kwlYObMOSn.exe, 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs kwlYObMOSn.exe
Source: kwlYObMOSn.exe	Binary or memory string: OriginalFilenameXevo.exe4 vs kwlYObMOSn.exe

Uses 32bit PE files

Source: kwlYObMOSn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: kwlYObMOSn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kwlYObMOSn.exe, Program.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Teams.exe.4.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/13@5/5

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

File created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Mutant created: \Sessions\1\BaseNamedObjects\bKGK9XtDE4HepKISm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Teams.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\4QViFEjJzqTHCbHq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2860

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

File created: C:\Users\user\AppData\Local\Temp\node-v18.16.0-x64.msi

Jump to behavior

Source: kwlYObMOSn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kwlYObMOSn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kwlYObMOSn.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\kwlYObMOSn.exe "C:\Users\user\Desktop\kwlYObMOSn.exe"
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe "C:\Users\user\AppData\Roaming\Teams.exe"
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe "C:\Users\user\AppData\Roaming\Teams.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Teams.lnk.4.dr

LNK file: ..\..\..\..\..\Teams.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kwlYObMOSn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kwlYObMOSn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Numerics.pdb0D source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbpH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb 0 source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp, WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9337.tmp.dmp.14.dr
Source:	Binary string: m.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2547594514.000001E6EE236000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Code function: 0_2_00007FF848F200BD pushad ; iretd	0_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F5D668 push ss; retf	2_2_00007FF848F5D837
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F5A272 push ebx; retf	2_2_00007FF848F5A282
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F400BD pushad ; iretd	2_2_00007FF848F400C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F21288 push ebx; retf FFEFh	4_2_00007FF848F2134A
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F200BD pushad ; iretd	4_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F300BD pushad ; iretd	10_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F100BD pushad ; iretd	17_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F300BD pushad ; iretd	19_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F200BD pushad ; iretd	20_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F200BD pushad ; iretd	21_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F300BD pushad ; iretd	22_2_00007FF848F300C1

Source: kwlYObMOSn.exe

Static PE information: section name: .text entropy: 7.998505878740895

Source: XClient.exe.0.dr, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: XClient.exe.0.dr, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: XClient.exe.0.dr, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: XClient.exe.0.dr, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: XClient.exe.0.dr, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: XClient.exe.0.dr, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: XClient.exe.0.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
Source: Teams.exe.4.dr, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: Teams.exe.4.dr, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: Teams.exe.4.dr, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: Teams.exe.4.dr, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: Teams.exe.4.dr, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: Teams.exe.4.dr, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: Teams.exe.4.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: Teams.exe.4.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Users\user\AppData\Roaming\XClient.exe	File created: C:\Users\user\AppData\Roaming\Teams.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	File created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\XClient.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Teams			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Teams			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Memory allocated: 1620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Memory allocated: 1E6EBDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Memory allocated: 1E6EDAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AE70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1A900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1A1E0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598521	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597934	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596583	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596339	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596073	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Window / User API: threadDelayed 4143	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Window / User API: threadDelayed 5650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Window / User API: threadDelayed 7359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Window / User API: threadDelayed 2495	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kwlYObMOSn.exe TID: 5028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598521s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597934s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596583s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595793s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -593954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -593829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -593704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6196	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 2924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 1856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 2124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5032	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598521	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597934	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596583	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596339	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596073	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: kwlYObMOSn.exe, 00000000.00000002.2052402034.0000000001256000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: XClient.exe, 00000004.00000002.4506642415.000000001C130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"/>
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: XClient.exe, 00000004.00000002.4501579682.0000000001460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: BootstrapperV1.23.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Queries volume information: C:\Users\user\Desktop\kwlYObMOSn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Queries volume information: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: XClient.exe, 00000004.00000002.4501579682.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4501579682.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4506642415.000000001C130000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4506642415.000000001C1BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kwlYObMOSn.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kwlYObMOSn.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.203.125	getsolara.dev	United States	13335	CLOUDFLARENETUS	false
193.161.193.99	Cactus-33152.portmap.host	Russian Federation	198134	BITREE-ASRU	true
128.116.119.3	edge-term4-lhr2.roblox.com	United States	22697	ROBLOX-PRODUCTIONUS	false
104.20.22.46	www.nodejs.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
Cactus-33152.portmap.host	193.161.193.99	true
nodejs.org	104.20.23.46	true
getsolara.dev	172.67.203.125	true
www.nodejs.org	104.20.22.46	true
edge-term4-lhr2.roblox.com	128.116.119.3	true
clientsettings.roblox.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
Cactus-33152.portmap.host	true	Avira URL Cloud: malware	unknown
https://getsolara.dev/asset/discord.json	false		high
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	false		high
https://getsolara.dev/api/endpoint.json	false		high
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kwlYObMOSn.exe

Avira: detected

Antivirus detection for URL or domain

Source: Cactus-33152.portmap.host	Avira URL Cloud: Label: malware
Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Avira URL Cloud: Label: malware
Source: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Teams.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Roaming\XClient.exe	Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["Cactus-33152.portmap.host"], "Port": 33152, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Teams.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: kwlYObMOSn.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Teams.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XClient.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kwlYObMOSn.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: Cactus-33152.portmap.host
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: 33152
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: <123456789>
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: <Xwormmm>
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: XWorm V5.2
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: USB.exe
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: %AppData%
Source: 4.0.XClient.exe.f20000.0.unpack	String decryptor: Teams.exe

Uses 32bit PE files

Source: kwlYObMOSn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: kwlYObMOSn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Numerics.pdb0D source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbpH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb 0 source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp, WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9337.tmp.dmp.14.dr
Source:	Binary string: m.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2547594514.000001E6EE236000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49850 -> 193.161.193.99:33152
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50028 -> 193.161.193.99:33152

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: Cactus-33152.portmap.host

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 193.161.193.99:33152

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.203.125 172.67.203.125
Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99
Source: Joe Sandbox View	IP Address: 128.116.119.3 128.116.119.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 172.67.203.125:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/endpoint.json HTTP/1.1Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Host: www.nodejs.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: getsolara.dev
Source: global traffic	DNS traffic detected: DNS query: Cactus-33152.portmap.host
Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: www.nodejs.org
Source: global traffic	DNS traffic detected: DNS query: nodejs.org

Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463/rpc?v=1
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:64632
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientsettings.roblox.com
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-term4-lhr2.roblox.com
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://getsolara.dev
Source: BootstrapperV1.23.exe.0.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68009A000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4502717565.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800D2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68017D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fdf3b68c.solaraweb-alj.pages.dev/download/static/files/Solara.Dir.zip
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6800AA000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://getsolara.dev/api/endpoint.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680013000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://getsolara.dev/asset/discord.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768754/raw/main/endpoint.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680001000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://gitlab.com/cmd-softworks1/a/-/snippets/4768756/raw/main/discord.json
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E680117000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/pjseRvyK
Source: BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nodejs.org
Source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E68019F000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: BootstrapperV1.23.exe, 00000002.00000000.2050063683.000001E6EBAA2000.00000002.00000001.01000000.00000006.sdmp, BootstrapperV1.23.exe.0.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.22.46:443 -> 192.168.2.5:49710 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Roaming\XClient.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F52540	2_2_00007FF848F52540
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F46DB0	2_2_00007FF848F46DB0
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F44928	2_2_00007FF848F44928
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F21689	4_2_00007FF848F21689
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F284D2	4_2_00007FF848F284D2
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F27726	4_2_00007FF848F27726
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F20EFA	4_2_00007FF848F20EFA
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F21FC1	4_2_00007FF848F21FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F31689	10_2_00007FF848F31689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F30EFA	10_2_00007FF848F30EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F31FC1	10_2_00007FF848F31FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 11_2_00007FF848F01689	11_2_00007FF848F01689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 11_2_00007FF848F01FC1	11_2_00007FF848F01FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 11_2_00007FF848F00EFA	11_2_00007FF848F00EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F11689	17_2_00007FF848F11689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F10EFA	17_2_00007FF848F10EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F11FC1	17_2_00007FF848F11FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F31689	19_2_00007FF848F31689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F30EFA	19_2_00007FF848F30EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F31FC1	19_2_00007FF848F31FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F21689	20_2_00007FF848F21689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F20EFA	20_2_00007FF848F20EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F21FC1	20_2_00007FF848F21FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F21689	21_2_00007FF848F21689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F20EFA	21_2_00007FF848F20EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F21FC1	21_2_00007FF848F21FC1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F31689	22_2_00007FF848F31689
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F30EFA	22_2_00007FF848F30EFA
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F31FC1	22_2_00007FF848F31FC1

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe 8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3

One or more processes crash

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196

Sample file is different than original file name gathered from version info

Source: kwlYObMOSn.exe, 00000000.00000000.2042845470.0000000000DDE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXevo.exe4 vs kwlYObMOSn.exe
Source: kwlYObMOSn.exe, 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs kwlYObMOSn.exe
Source: kwlYObMOSn.exe	Binary or memory string: OriginalFilenameXevo.exe4 vs kwlYObMOSn.exe

Uses 32bit PE files

Source: kwlYObMOSn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: kwlYObMOSn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kwlYObMOSn.exe, Program.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Teams.exe.4.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/13@5/5

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

File created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Mutant created: \Sessions\1\BaseNamedObjects\bKGK9XtDE4HepKISm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Teams.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\4QViFEjJzqTHCbHq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2860

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

File created: C:\Users\user\AppData\Local\Temp\node-v18.16.0-x64.msi

Jump to behavior

Source: kwlYObMOSn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kwlYObMOSn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kwlYObMOSn.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\kwlYObMOSn.exe "C:\Users\user\Desktop\kwlYObMOSn.exe"
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe "C:\Users\user\AppData\Roaming\Teams.exe"
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2860 -s 2196
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe "C:\Users\user\AppData\Roaming\Teams.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Teams.exe C:\Users\user\AppData\Roaming\Teams.exe
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Teams.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Teams.lnk.4.dr

LNK file: ..\..\..\..\..\Teams.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kwlYObMOSn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kwlYObMOSn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Numerics.pdb0D source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbpH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb 0 source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2545484392.000001E6802D0000.00000004.00000800.00020000.00000000.sdmp, WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Data.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbH source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9337.tmp.dmp.14.dr
Source:	Binary string: m.pdb source: BootstrapperV1.23.exe, 00000002.00000002.2547594514.000001E6EE236000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.ni.pdb source: WER9337.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9337.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Uc3BjQmcdurs1N4Pk8uOPT3r._8INdwf8o8QeXO9oljCg2qau3,Uc3BjQmcdurs1N4Pk8uOPT3r.w4jjQAiWJjeWjPn5LGOnd2rh,Uc3BjQmcdurs1N4Pk8uOPT3r.Oc2SgI0FMUad2iOhT13qTv7x,Uc3BjQmcdurs1N4Pk8uOPT3r.HCjNWVI0UaCoWdctk2D0X5kD,TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.l7s6lE7HnjB689NpEb9j6bRw8y5esn6Io4lJz1O2cbx45UBPSbFjkQ7MxDu2Ed8aGatPCv0W95()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[2],TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.pq8Es3hqExtddH31UC6maYpyOgIBJ1ns4zvxO0gDXB78bfXDEulWaIWEVTSIRbqbwLFo96jsZ2(Convert.FromBase64String(qWABHFmQnV3vztJxi66C2CggGqVQqnFb8zrIJ7ZIg28vHsgoBuuO56eGx9ZyDdO6C2tZHTugemlHHEcDtmsdVSIK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD System.AppDomain.Load(byte[])
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl System.AppDomain.Load(byte[])
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	.Net Code: WQeCpH8EhMH9FT1oWn2I4MAqvRX9YldCWTBGPD3fu7dY1lRZOpOQBCdLGPpwYplVHjR25GLuESdhpEeBqFlguDIl

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Code function: 0_2_00007FF848F200BD pushad ; iretd	0_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F5D668 push ss; retf	2_2_00007FF848F5D837
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F5A272 push ebx; retf	2_2_00007FF848F5A282
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Code function: 2_2_00007FF848F400BD pushad ; iretd	2_2_00007FF848F400C1
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F21288 push ebx; retf FFEFh	4_2_00007FF848F2134A
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 4_2_00007FF848F200BD pushad ; iretd	4_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 10_2_00007FF848F300BD pushad ; iretd	10_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 17_2_00007FF848F100BD pushad ; iretd	17_2_00007FF848F100C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 19_2_00007FF848F300BD pushad ; iretd	19_2_00007FF848F300C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 20_2_00007FF848F200BD pushad ; iretd	20_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 21_2_00007FF848F200BD pushad ; iretd	21_2_00007FF848F200C1
Source: C:\Users\user\AppData\Roaming\Teams.exe	Code function: 22_2_00007FF848F300BD pushad ; iretd	22_2_00007FF848F300C1

Source: kwlYObMOSn.exe

Static PE information: section name: .text entropy: 7.998505878740895

Source: XClient.exe.0.dr, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: XClient.exe.0.dr, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: XClient.exe.0.dr, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: XClient.exe.0.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: XClient.exe.0.dr, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: XClient.exe.0.dr, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: XClient.exe.0.dr, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: XClient.exe.0.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: XClient.exe.0.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: XClient.exe.0.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'
Source: Teams.exe.4.dr, 8geLz7PVJDaHJbPqbQcZhNJgzEYf94XxUjqToyM7ntcdaErGYo85BKZd5IU2rTC2VTHwDLwlQR.cs	High entropy of concatenated method names: 'uQRqgRCZAI2DLD4VZztwHIa2xB7rcn4KBVvQgd8wntRPFcfChBEcM1MVLyk1oWiCJZ70ydYESo', 'P9ClOHa4rdlhCfAL', '_8O7FpOeok5QJPY2M', '_1Lh7vxdiNyOh4xplo71TKYxNTFIluIVOdhgkI2kfZvRRbHrCbHo', '_17nP4NzneHKSpy6pdgPpVs7ZVeLImiBE03PwZzVyFOeJmLyQo4A', '_2mtUAoy1PpsiO3a6WVS8vt4JDEVD6fxsxWYi6aEpmrWCYQHgtW9', 'pF0gZckkZIhzsVx8qS6ryFY5k8F3PISS4xCzcIHphArwL78x5uS', 'ptccob2gnTJGPvhwotnNYcEmx8rlLfXz1cVD12PL9rDzLzTSpBU', 'zBVEIMs6Brz10OdxLT3NXvSU2g4J7CEA9FDwgYrdgnawBQG4rTV', '_1mI298zT5Ncrgaymc6Yxjf5pBTYy9wM3OxHSc8YHTfSfmeeLOtn'
Source: Teams.exe.4.dr, Uc3BjQmcdurs1N4Pk8uOPT3r.cs	High entropy of concatenated method names: 'LIQW8jYDJQYI4x5LlOPgbwhMaU9LQZ7njJyJjpby9nf9nSTzsOsoRMg0OtuQLuK8lEirs3ldOSC2uWYxgeZAnavitIg', 'uobLoYbpfOS2gFExFHNEl8xGtAAhONvvRiCcHvgCFKMGtxQcaxXRNayXrW2QtQtnsySAsXAimlV0JGehwzWqx5B5dDz', '_3ecpUmWdVZGLbB0HkWul2MUlQYx1flc6FmIUw7Pb1oMKyYssKy155wOBju2Nc5M7K7NCjL0A5MENiKSVIBGbXbuV0ZL', 'V6fkO4govhkzWuUWVVoIjmI1ysVqLZkDT9uxhlwqGWFs6ZuFZbvmNQinxkFpJWQcQ6g2z2oyZ48q0UMKTQ5KV004UDZ'
Source: Teams.exe.4.dr, jo5XtzA2m7JH1S9wBz7M2Z2mAmU9QBxH2A204V.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Nj1K87Wq3d1jNDDqPZjSrXrWJIEAIOR3yPogCdBsWvxZtNR27HRfQNQF2FTTffK3tgITmjEiJWbdvszUkVAfEKTMRW4', 'yEMLQpTfjLhInCdYYjQeD01R2ZzocmV6v6t9mmWd1x1ebbTvOPluqqukwGkykoNP5zKe8SEEuKog7MTqYu63O3Zl6vO', 'Ok9lHapzpi5sNXQa1mmnoTA01HV46aEsCody8fBndwLXXtIqA7HhIiBp52zYZzprXM7k9wdIzlcgKqIpa7PyUlr4lnO', 'GcTJqnh5FCcyKu1r3YdH0TUpnTNdFE3sZnXENtKsLoZQ3KzyjKe8vOnXVooloZxJJvmzWUoM1vUkaIx3XbtKa4KkXJs'
Source: Teams.exe.4.dr, algSkwMmgudIic5cQ2Q90SqIDKwJWCDnrXTAUds3tNLiPAxSvcXsAcPV.cs	High entropy of concatenated method names: 'Znz1YJbjDstF3NnCtce9JA5rvdCTEIiVIaYeZby890EK9ogT5gc2hzIF', 'QH6BzTzzL1KqBZpIuFs51GiP0ooeey6t2gKmhw3JQMHBFhQBGCZ3vouD', 'peMVjIfxwRiF2zyIqbgXQr6yKGk0owQXCDxTpQL9Z8hwkbnP7xj35HQi', 'kI7NpaySKqRsWiRSd3wfgM0ynfPtM0NheDNeyKxRYDIorB8zvn26XV5N', 'Bo6RAokTurylQeyxBlbnaZgIIMOSLrb34Q6zYsN2ptxKbE46iggr8VBw', 'OTNoPcpn2FUWyPDUtNdNRTmCkjpseegnxdLsmvo3P43zxFLHsUM53v49', 'mUFbQRip6QDF2MCeKJyOgcnLUqjGmtuiLz3IAZae3wkqsiYxgbFQAYqQ', 'cT1goHaztVDbTi5lLou7fesoYqqqEhqodRKbs2lXLZsZIFFIiXd7EY0J', 'L4TKjPPvq2gqLdM9k3xyfBKjnDE7n3TiUxJqsWgPBROsQe3stiAea1yB01EnnliWftDCpfu0VdflOiL13RZIU15L', '_9B0s2RQ36gmV2Q7g8v77F7Ln3jUnJJVSivs9mjErF27Nr3ttqayNn48AoF66CaizfjJzbGf6OORwXlCPkJ3PuUOS'
Source: Teams.exe.4.dr, uC4bX9qmnfDttpZXgexIMCB3.cs	High entropy of concatenated method names: 'nNtoatmovcCMfktBBqWvVSlu', 'qbFH3Tk9ffXeadnS69DVF7F5', 'dPovAIFp4d38VfpIQHRkmd1T', 'TiIJNIcbO0Rlt6or7mWc8LfIqGb5xfaBEAagpmE6qAaJqi7ffsTVpQH34YsEH1Y4xSGTy39zzlPGVQ6af8cihl5uUCh', 'LUFgBfZwnUGTK5yaCcpctVmaqlanJq3IYhXgie53Xlw11AzOQM7p64nZFQpy5UFxqNEHfngHC1lMFHBFS52Oy1tOnIi', 'ubtNdMj2CpELyOwKdi58UGLE4yqjfou62', '_9Vg6xoiOBscSTkOZTFie5VKcMSobDzt0Z', 'elcLxLdMPUAQ3Z4XJ7ywr2Yw8aYdV7JV9', 'vKJ0EB23zmyxiqi7HlrqIKpUHkujCDkmA', 'Rg8qNclJhsV9fzncMtsxK5qLYWrUYh7xZ'
Source: Teams.exe.4.dr, vPNx814kaDySqqPhZPNlS3exd80mmXA9ptWc7VoO4zvsTK1evI9iBv81QuL59JyYJiuTuLTbA3G76EYcMcVv9q40.cs	High entropy of concatenated method names: 'l5MJF0vpQPJbUi71eFmUKTDhTY4Qwe877PvKoC4AB6JDQknrfFUaw5kyeV94CdnFoqksQtX0GQ8QEYntElP6ZGb3', 'xadeNV33MWKl5ms8jqjZD0kspA3zgxSwbqWBtzJxU6XbnTGvM34bwTXaWXiyVs9zx8lgDH0khvtWJnMAmEyyEAW7', 'v9Fj1jch3K7q7vFQqK7wFPKgbAnehIAhCz8Bh2DxhbL683MRLRzJHam7PDCl3bx6vbipxIQiHeNng9VQVOlkhnIP', '_6EuL6rtRB2wxtDPigGvSJbVeyp7pubSTB77yoqQConnyxAoW0wQTN8KAYeSEjhgJPpJjp0KF6mqGVobSQ7D2tGWp', 'LDpI5pYf8eFqUamVqoHXHCf2xu5xRJ0TnSxKgGT8NJnAYoAd3rMerMdnXjrMBQLwLO', 'SW1VEzjRrMzvE2DQ4CHJRnoiBROVSOA7d91fahrwhV6Wu7yLgyGjTln6cOrKyoDnpY', 'BFXzEZCS9KAUMQtzWacglUUPkQ8LEgIgF9x0rqf853IdpbStbEsMC17IKVqIUOxdmL', 'SbMmqA7RXo3F7ufyItURyE8Sd2IOxhQkxP3TYPHS3wGO4PxwAQ63iw8MT62C8F5NMH', 'ljxl7SDLTB17wg7T5Ic8GdBUbXVhBjihDIKIhpl3RmPHEnSk1R53dDpyVK5LPAfqIh', '_7rm44ml0UApjPS3xuApn44aaFRMyvyrroQ4Pplt5cSVI1xVsfobeyw9NgNGQHnclMB'
Source: Teams.exe.4.dr, AxNLL2qwxotWTTDijmh3abU9Hb1wEfkrtuIE6gqinoCcVgRHPXqDrnQS8dNmaPvOvMUEfjVeA48bXQTvWiwwN4WG.cs	High entropy of concatenated method names: 'HVSotpCw10PcbHgH9MuOwxBcgfITzdLTTkFSvkAnRDpyHer2YKJxFb5ShJdlTEfmscttiby0r648GMSbrsEqtsh8', 'nLQlpxLvvbz4mtmEKujPJRdNfjBt1YkPOHgjdI4EuCuMksAfG0ioZznbhFSj1hCg7v', 'M1Bqx7EqAQj3oJy1AKG54GtNfEKET3XOGHpEQ3NOQInnGBvLho3N57KtyR4tzXUeYj', 'JgdyLHTGtqhT4a8wZFflZhwR849GQTDNS7txbK23bJFSdynkSnASKK3jUkE0sdUePE', 'hOfK58Hbm0QmouKpxdtOmEf3AxUNgHQoi5SOdBSLPV1lHQXH8R0PSWEGls0HbM1jec'
Source: Teams.exe.4.dr, galkvGG8EiPIcJR8LGppC8UxAdk7MX8S4JE18u0WRgtlYT5nELAVXthyxxBMjLf5FGgVcaoSmNKYAFZkLood1AVt.cs	High entropy of concatenated method names: 'Uf2T3bngWgeL4s5tZ70Gst0sZnfSOh5PiGIYyOwkvUwYr4h59ysCFYiWsV6Wt1cxb8p3lRHWNi4Wb01Re3Zozthj', 'XirxY2rgKavEADTJ9Z7Rl9PebpLHA3QarbS38VBW3WoPJrzUTHPHPJqa6oGqbFV3l1', '_3NCMA70TImJrlux0OjR4S5Yv71eKKLSccNkydVtkHQ88P2gVV3zE7BgVZa5071FGft', 'lX0Qi7Vnt7Gn31KeOBq1ucH2GHjMhsBzYONHsrYgq3xhrWlAxC5i2eKOskyFrCUEhF', 'ptyEPlCXtr4k3Cnim1ABAKZ5LG1H3vhWAd7ztgAxcZTHxSz6a32MwDPfvbx6in1oA9'
Source: Teams.exe.4.dr, F5vMHDl0yhQPqFo1H7ie55ng.cs	High entropy of concatenated method names: 'xCYvtnsP0UJSi3tqykECf0HF', 'RguiYWheTClE8b3yzBgXHLe0', 'wPzOcYqjLN91bmwgFWMVfVlLwYhmcpZCuL6MZNnSUIcSyLMgYRqNfav1', 'V719StdNeaONVJbg3iX25X5670sWyWWwZWYgJYEIYPKSXfI6pQuxu9jF', 'CqEIOTKT22I1I4uHbbUs3VbONxFkTxWJ9LESUKAdDClu5DnonD04hJn9', 'ZTjyHggJsUJxAQCQSqdwtA0MHsCN8AaI2KHSxNNOUpDRxemOY78QE0e7', 'qzLSp9r3Y6YX1hsrUSXKMvJbxoZhGesmStoZuooY6Zy3y1HpFRnZlPHQ', 'dRTifIhuMX4untF0SZeyukSpdy63Ck5SBOooOMHDS0nxOjMfR88Us43H', 'eUfL4dvqO0ihFJZptqAc6ynEVnxnXBCHP3rbYMrmlHnnCGETbIOhcBsr', 'n6H3gA1VCzzgDAIAuuDAmpq5oAFfglG6HYIxlW8EeriiHhmoV2Qpqpep'
Source: Teams.exe.4.dr, TyafYnZPI0nJXPTq2UgLGtZqQDMh54kIos4pBXVn6y77XaZixzdS2r7q5swYgLkLGFOLjzSv936fQcHXuWyjgjZY.cs	High entropy of concatenated method names: '_6R9honep9Q8eNg9wARu2CxfZzQA7tmHpyjLnG1lRtiZ9HeOupft2BvngKPmAxjKoiKLuuCSWtbFAHRXCf8cvSY8D', 'j9GqnvN2L46twQJS9tIoq87b8um7b4U1xmslatuYbEGrSUtxzwTxyDP4ilDYqpb3HvZylBhQsr', 'ZSkqGJMDnmujgo7UORaxccfIfin76euDMm9gzmNgoZzZMiok059speRmekYABH2eE4b7nO072m', 'ltJMOWlfwBblpJ2y4KlR8TlGGQfrAMs0XRtdQ2YyMwueDGbqEcB8HdLuMmG92XpBH12gnxh1JP', '_0hHubFKJV1w2GXnk243jP14ZJMLBCp7jk5xGxszM3C8JshBZdCFVuE2xk5jTDtR8fomP3ziCMi', 'xqRv7SyYJPujqdreAdBCUySC6QHiZlp6GfyEyQrhlW2hKdhsGmkJMMOrJOZYwHC5ofUnlp7moL', 'JHCYE7XA9LlDbd5safZBX6SR6ro4c3HG9jAZqukr2detWdKLjk3VPd8atGgIir9D85XSUFIgvx', 'NDmyOdePDqhRJGznyiBg6X6fnk4TsGP1J3DO2FOoCQZ5Omd3Yw4WgpvKbDdTFGiLBqimYDLV15', 'tIeaWxATc7ukxLfQA3JwBLtNThXJ0Q6NIZhP7UNPgabzCmPzn8bfWdwNlOftps6z9guhk9qM4u', 'wcgtDaSeJHxSrzkZMCmVpSisUMqsT5EntvCZq6oBxd4o6XoNKzHaYclAPCog5yU2yCDTcAL7Eg'

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Drops PE files

Source: C:\Users\user\AppData\Roaming\XClient.exe	File created: C:\Users\user\AppData\Roaming\Teams.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	File created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\XClient.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\XClient.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Teams			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Teams			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Memory allocated: 1620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Memory allocated: 1E6EBDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Memory allocated: 1E6EDAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1AE70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1A900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Teams.exe	Memory allocated: 1A1E0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598521	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597934	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596583	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596339	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596073	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Window / User API: threadDelayed 4143	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Window / User API: threadDelayed 5650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Window / User API: threadDelayed 7359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Window / User API: threadDelayed 2495	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\kwlYObMOSn.exe TID: 5028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598521s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597934s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596583s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -596073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595793s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -594079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -593954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -593829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe TID: 5960	Thread sleep time: -593704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 6196	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 2924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 1856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 2124	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Teams.exe TID: 5032	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598521	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597934	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596583	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596339	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 596073	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Thread delayed: delay time: 593704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Teams.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: kwlYObMOSn.exe, 00000000.00000002.2052402034.0000000001256000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BootstrapperV1.23.exe, 00000002.00000002.2547110487.000001E6EBE1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: XClient.exe, 00000004.00000002.4506642415.000000001C130000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"/>
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: XClient.exe, 00000004.00000002.4501579682.0000000001460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Teams.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: BootstrapperV1.23.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe "C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c ipconfig /all	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Teams" /tr "C:\Users\user\AppData\Roaming\Teams.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\kwlYObMOSn.exe	Queries volume information: C:\Users\user\Desktop\kwlYObMOSn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Queries volume information: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Teams.exe	Queries volume information: C:\Users\user\AppData\Roaming\Teams.exe VolumeInformation

Source: C:\Users\user\Desktop\kwlYObMOSn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: XClient.exe, 00000004.00000002.4501579682.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4501579682.00000000014C3000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4506642415.000000001C130000.00000004.00000020.00020000.00000000.sdmp, XClient.exe, 00000004.00000002.4506642415.000000001C1BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kwlYObMOSn.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 4.0.XClient.exe.f20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fd5778.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kwlYObMOSn.exe.2fc4d38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.2051658508.0000000000F22000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053142429.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kwlYObMOSn.exe PID: 4080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Teams.exe, type: DROPPED

Windows Analysis Report
kwlYObMOSn.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1561585
Product:	CloudBasic
Start time:	20:59:07
Start date:	23.11.2024
Sample:	kwlYObMOSn.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f28a1fb54a5c3b2b4e4184e3dff4f50a
SHA1:	180878512f7cd7c75c87fff174203228de688d34
SHA256:	3914bb7ca015e96eb45556b7fa427a8b5fbfc497a9909b777ea5d4e5b321111e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.2_b3bef142175e2c9feedfe8f06a73673fcbfff2_9c4008b6_55181495-87bb-4c66-9a44-3854d34aea5d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	98CDE6EACCCBD6E095E2E545F945BFE7	E8774E2ED387E7FB226A4781F0DD4E452068B76A	D9C4EAE29A26D430BDA2C776CC5B7B1C9F32677D0F48E98B612478DF33E62E22
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9337.tmp.dmp	Mini DuMP crash report, 16 streams, Sat Nov 23 20:00:15 2024, 0x1205a4 type	1CF39890037C7C4017E35D7566788C2E	FA9BBB18E2BFDD4FB629BF0C2FB85AF5B8C794CB	639053F7FDAC259CA802D40975E941A3A603C36BD20D6531E15FC6233AA126B2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9701.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	342E319241D85DE8AF523DED652C0C72	77396E79DC66DC75DDAC61265E3FDCE7612C91D6	FE07ADB460C4859283FA9A2054B7689EB9BB771103D574C20B485AF2E6CBE8BC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9731.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C2B14730949DC8304808266C5785100F	E2D3CA390F32DE893A461301F6CF3DEB383D91B4	4F5DB76274A7E33C7C2AEBBA28F5B2B7725C89847A55A6BB2E3809DE85866ADA
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Teams.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kwlYObMOSn.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Roaming\BootstrapperV1.23.exe	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows	02C70D9D6696950C198DB93B7F6A835E	30231A467A49CC37768EEA0F55F4BEA1CBFB48E2	8F2E28588F2303BD8D7A9B0C3FF6A9CB16FA93F8DDC9C5E0666A8C12D6880EE3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Teams.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 19:00:05 2024, mtime=Sat Nov 23 19:00:05 2024, atime=Sat Nov 23 19:00:05 2024, length=68096, window=hide	9A1C13C1DFEAC2E49524050A020BD8EE	98B322C0AAC3D3878086E5E99A19E2B453B3E581	827618C840CB935EFFEEF5250C80F520D80F988EB133CE9198D2149C146C3B03
C:\Users\user\AppData\Roaming\Teams.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	E82A4E80B783AB902E649D21DCD0F3D5	DD32A84C4BFF58262FECB1511FBDBECDAC2B8045	63988792736CC57B3B93735662A660A4229D76E487D3D59ABC0AE17BC05050A5
C:\Users\user\AppData\Roaming\XClient.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	E82A4E80B783AB902E649D21DCD0F3D5	DD32A84C4BFF58262FECB1511FBDBECDAC2B8045	63988792736CC57B3B93735662A660A4229D76E487D3D59ABC0AE17BC05050A5
C:\Users\user\Desktop\DISCORD	JSON data	B016DAFCA051F817C6BA098C096CB450	4CC74827C4B2ED534613C7764E6121CEB041B459	B03C8C2D2429E9DBC7920113DEDF6FC09095AB39421EE0CC8819AD412E5D67B9
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	81A1AA30793DD8171DDB48E3695E336C	CE3A89F8B7ED7728A8411D7FFFE11667F622DB07	4D5D6EB65BD43D5F68F21A4A450AB3ECACBCA3E037E0537A739B9C70DD6D79BA
\Device\ConDrv	ISO-8859 text, with CRLF, LF line terminators	5294778E41EE83E1F1E78B56466AD690	348B8B4687216D57B8DF59BBCEC481DC9D1E61A6	3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C

Windows Analysis Report kwlYObMOSn.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
kwlYObMOSn.exe

Malware Threat Intel
Provided by