Windows Analysis Report
KjCBSM7Ukv.exe

Overview

General Information

Sample name:	KjCBSM7Ukv.exe renamed because original name is a hash value
Original sample name:	fe7c4b36fca4fdf53789979a4a09c880.exe
Analysis ID:	1428548
MD5:	fe7c4b36fca4fdf53789979a4a09c880
SHA1:	89caf7f3b9f4d7d732ade5593e1958f6f025afa1
SHA256:	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470
Tags:	32exe
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["gamemodz.duckdns.org"], "Port": "6969", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for domain / URL

Source: https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf	Virustotal: Detection: 11%	Perma Link
Source: gamemodz.duckdns.org	Virustotal: Detection: 16%	Perma Link
Source: https://www.file-drop.cc	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: KjCBSM7Ukv.exe

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: KjCBSM7Ukv.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: gamemodz.duckdns.org
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: 6969
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: KjCBSM7Ukv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.146.180:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: KjCBSM7Ukv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdbH source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: gamemodz.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /D/6829ab/Fizvmrd.vdf HTTP/1.1Host: www.file-drop.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /D/6829ab/Fizvmrd.vdf HTTP/1.1Host: www.file-drop.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: www.file-drop.cc

Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000305C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000003064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting6
Source: cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingy
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/#
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/2
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/6
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/9
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/:
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.file-drop.cc
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 172.67.146.180:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_0225E058	0_2_0225E058
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_0225DDA0	0_2_0225DDA0
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063CD5F0	0_2_063CD5F0
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063B0026	0_2_063B0026
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063B0040	0_2_063B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01658B58	1_2_01658B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01654A68	1_2_01654A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01654450	1_2_01654450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01659428	1_2_01659428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_016514F0	1_2_016514F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01658810	1_2_01658810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01651D3A	1_2_01651D3A

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668

PE / OLE file has an invalid certificate

Source: KjCBSM7Ukv.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000244C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient69.exe4 vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1648896271.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient69.exe4 vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000000.1628006059.0000000000112000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedisc.exe^ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe	Binary or memory string: OriginalFilenamedisc.exe^ vs KjCBSM7Ukv.exe

Uses 32bit PE files

Source: KjCBSM7Ukv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, E82QoNmOZf4HIIO7HiT6rnL8gaPd4gt0PHOeqpPWp8SJWRqcriTPoZ8MmcOcvvlKl0bXiJNYBd7C70.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/6@2/2

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KjCBSM7Ukv.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\eqLVKldUxQjNG8e8

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c411a00f-13c8-4a21-8d29-c6fba7f78b72

Jump to behavior

Source: KjCBSM7Ukv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: KjCBSM7Ukv.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KjCBSM7Ukv.exe

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\KjCBSM7Ukv.exe "C:\Users\user\Desktop\KjCBSM7Ukv.exe"
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KjCBSM7Ukv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: KjCBSM7Ukv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdbH source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.WSVyfM0ChJOVLpU9fMrrRVS0Cv5ZipxF3pO9rhwZDcS3b94RAdFGFtbB6zFdnPZP0xAnL2coNlG3lZbXczAYO0BXlW0LN,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.kWBR6coCFSFhmQlzA1hS4AfR6makW3DGrLYcNuoElwbWKIpdsdJVB2nLwTo3JIOLmfukMWn3zXvq9hewFtQmN2FXebRRs,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.Sm0mG6RUiRc82r3rat7Uhndwu6MRhdFqruADkC4P8agtaJZIJFT90XqKlTeFCZLGuXP9c2U7pJTxE2SJ6K5IKUcozC1wi,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH._4FVvlxj1muJ2j2gT5gTardfNJPjWRt5FPmRF6eD3TK4UlnI4sMtIqt6G2rBrz3lglCaXes9DLAlHNtUa4oloHvtjaxUHW,ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.WjkwG2AtdYKMwyDHETQcn9iKIlPBAgxbKuxoM8f1iCsewsYNtwW8EB1PleOpyAVFPvbZB2sOhTg3r8()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[2],ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.uru4pkMCStCbBsHEzDkpsE9qnv7FC49npd3yi7IGqH4OLXtUKs9cKdR8LCS6N9Gq1eJXDAZVixQeTJ(ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.lTIoKCtp9nNfGKgNpnK9w7oAnbhuHqe4T3TEv7r0qxFPmCpsdBNKELrSBbiESrMppYfN4WfxHinurm(hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: KjCBSM7Ukv.exe, Program.cs	.Net Code: PerformComplexCalculation System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: RoOwIgv14BDSo8hGtE9pEEFolIBstnU9h01jfvlBjC3VQm6mOJgWIQpjGZz9g80svnJ4fJiI7bG7Qp0h8LjfMR3JVOZ8Q System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: kn96RDglqorjf7OGrgep9jqrEo1y4IgqRA9YHkWPq9Ekr4zVOsaQ0HaxE5H8iaPg2FykMDjnnaHO2EI2K5hldnsFFSAuN System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: kn96RDglqorjf7OGrgep9jqrEo1y4IgqRA9YHkWPq9Ekr4zVOsaQ0HaxE5H8iaPg2FykMDjnnaHO2EI2K5hldnsFFSAuN
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4359f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.26950a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.26950a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4381f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5a30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4359f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1661567494.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662763939.00000000063D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.000000000268E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_01656A45 push eax; iretd

1_2_01656A69

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, spIgdAVKzYKo3gxf35lM9RbEUi3MbpZ0iN4U4EiA4c6ZYFvFA5acMsAsK35OXv55Fwr1R3tXMeVnX2.cs	High entropy of concatenated method names: 'Ii4604e1aF6Pmp4xImMcZ8PMKyRJI9D6a3VKfhSWRoLouAz0Q8xa9sbER8iIYcSsu2OlU2oSmgg3Iv', 'GFSr5uvITDVIGWNdzKSjDNGAO5wWBZgBGyh3jJJK2EQkvCQB9gJNj2m53PupdkPBHzaMZBTcDJHG8G', 's7NEjslk17WSVL5yDBlcmn6itFjgFU19ql7Fi9gxoIXZKpbpalY50ZKe0MtqNhdVp9PZYm4jzJQRCm', 'rzVQXXgtq4PAhccyWUx7D', 'PSVwohbSHrh5WSLjPI9ej', 'YKIFgPJaSWNwbuxPhAmyS', 'uUWoFH4xYPbaN4R9FdF2E', 'ozryzmNgkB626nzKc7X1o', 'Ef2AkmRRyVaOyFvPx5J6b', 'VhRcstUTM0kosdfogxonO'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.cs	High entropy of concatenated method names: 'CAFZozUzf9Zd9t63w0xWiFi6yZQEPZxaKSXIcDbF9lbpVMk18EtdZZjPXR0ECx9wYCkxmag8iQ7epV', 'iuj4zxKbRI10MRD9RzKMsQJ5T7z2h9d96xVcHrrO4ebpdq0YKA5IGZlWcCa1rqEtAbv7HXwaXmBY0F', 'MWYeSkfnK6mrCQoOnzgmvfWxzkBef4zopZtq5A6KuE3NON6GvTxhVrbRnH7HsboJ5zlKltmLXupcqh', 'UBD34Awc8fXqRYB4vgJIeYcOuj7L5aDcphLVmd8DQirXQj3dT76fGGtqNQvANuy3ZIDum0baCXr5NV'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, qvVlJlZDr0Sny4F1G7zPVbAP6Rrup8xZYlnUw9SkLn7CMt6IUnuWp6Hlhn2GZuG8uejZTQ08XJnq0FTTSkW9BF857pvsL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'LA7BoHfi5DwtTjPwOvozPPVSvTHG3Pl41hqOjU3wSK6ALraDQFm89fjn88oNfJEHSWMzH4t5Crm9hm', 'cQJSs6ZpsufvX3nQkVi2ZVVnsgPooYAAXZ3IAezqIhVACF4jaoeUQ4zlwkbyULrUB7D8uM8ZilRUUZ', 'fY8CCoJmq5u9nNULOwBcbWL3erX2angSLNECZpI8VKYEdkkI9kfe8qtxBHnGtKtWdX6H2X0N5umKdE', 'TJTPCBfsp0vqUuAGUPTeIkBdFCYRVaK7d5GEIYJLJb5NIcKSYVcaiFc0n5TyOLEbiOZz4OIa5JQFz9'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Q60Zn6xFubhiwuraExcDn2ijwJuxRg2iSSxBEamkXk2UfRlsW1D3zHfmTK71LcmEa3qUT7YU2p7u1zipHXSlC4Ra6p139.cs	High entropy of concatenated method names: 'HaObHHWE8qI9AyyUsJRN63sIdsJUqjLJohPEVToH4P01xshDjjCwmtVsRRRqiED7AsMN95kmhOqOUZ5ABRHcKYflNIIpr', 'FH2YKFKToWuD3gmHslCqJkxfa7Hz6WIsu4pzu2P3ITxitaqWYVoAOEROJYe00yo8s4xJq51Pbhpo7iOMb7hjfi4CsfOdU', 'es35mn0WJ4zF8Vr6DuUnFJ0NrzYLrFz1rIqmwA8cTwQEzl6W4wawfJwKsx6QI3X6vt3iAWCVhqjYhGXuJ4oewXAegn7zq', 'dIX0jLlq5U7anG0ipRxONtGXXQKiSli0aT08HqPcznaRquY6pSVfTUzF3e97D3BfFWCLQVJ557gggf7gHkHqTv1K9IDvQ', 'HwvzSV5EBbFxjF5HHxRSFYcjMTljuiBxaNM8suqTzIEIYGHEwoYW8AblmP5yywa2I0RGkmwkc99QAifyFKbPcSlY3A9cn', 'mjFSlwdyYRm925ObpeH0mZ4yDMqS0qRkd3FLwBkBNczIdDf07UIjbWB19xTLLVmEtyQhEhrTumyJEKvITDnbS3ND4QewW', '_3B60ygMVKkaPdK0z9ex0IjUvODfg1vDunF86VgZ4Dye2KY1dlFfU37PHdboP7MrSq2yxOQ4g3OuqKLpWzdJnCmBdU1pgm', 'jWaKJ1HSmE75kaPM9Af4Otc2eFYbq72WuFIyxlFxyaubJ16nYOJq0KzDl15oVDph49FKI3D7R867qId7tuYRZHWlnd4F9', 'OawLwhLLXYt0qplwMJRHrJdSkeKybSVPAujJ8RPDUDVAE7VaHB3jj87R11jhE2N2JdIoFR5mLT2UQdPWtC7DG22tfGLFo', '_3YPs4hu77fC9cGRD2OQExWxy2nWidHkWf5ER8A3Vu9NVwOeIMdjicVghFpm6495mzGNQPpuNJR9W3u6LedyCkBLz2E1XX'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, E82QoNmOZf4HIIO7HiT6rnL8gaPd4gt0PHOeqpPWp8SJWRqcriTPoZ8MmcOcvvlKl0bXiJNYBd7C70.cs	High entropy of concatenated method names: '_4MAYSCLZUfLXWr1ZAK5m7bLTsxxqqrlKu9j6IUXetevgd0DKXEO6h26Udi7N8FniVFHuAOmg5omZp8', 'Ig2WOVZ7Lq4qdvIY2738KY2KsJVhhqSlvVo5ww8MlZJU9VwrlaE9RMrvAb8vYWWI33sWJisFioA6hX', '_6Ktp9sMYX59TEdHmoSCYBmuo3hFJGtwHCsLKE1lJEBmiTkbdtnXmfoVuKG8uvTckzoIsI22kj5VNOQ', 'J38KPaUZs8WFqDEAAtxl7', 'AezvXVkcgOdEjBUupUjTU', '_7ZDlvuXA86ghEbB5pIFb5', 'iLLWF82zNmMs7PveewK2g', '_0f5XPvTU8RyWxT43BAQad', 'NpHvfhuulRu4kHZ8roRkK', 'l5zameYtMluC4ZgnUL3el'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	High entropy of concatenated method names: 'ZhHTeSxHzdBN8EybO6wyBxlfgloueQ0b8HB4FZc6DX10G5yX2FP4xN6t7kygnEFifmVfT2L7glnJ80', '_70BNbPfVJnNiDoL33NQTLiTqGpyHGc9hagv8xPn14nNWaqOHaMexLc1xrtBRGOXtbvjNM2JHLI5dRO', '_3Ckb6LGe4cwpnt88kptwxJeE534iDBG0j62SakM0yC5wIGjbksRmgQV3vj0WnZyy8Dim9C6w2WjHOo', 'U5exNRbcJowQCzw78hBMEDC9BHpw8vdQQGGAY8qZx8TTGuuR2mv9o5X79TglhEbAg37RgD6SCrE6um', 'qnkIvk8wZscjA3MPrvLVl1aYLsppqdkzDMk8gXDUwWnH3iICb3jPURzs4Q3PdiywkhCsNJFzsdsfRf', 'uHXYrDBo9MKqVciYsC6qAoAjPS6bNHmKJdcvUNx8ZL2miSWccPVRjfNdqiXBVBR5sTVavIisRXWW8D', 'srVuSX3Me0cfZb3KBx47W54ufOyFvt9eR72Cd0FGUlcw5bm80FvbhGfUDiIwO8BLMbAjSwAa5A3E12', 'tWBf4S8hRKFmfsbKtvvtAbBtuDKCxlNUBHOuSH5TR1DLYnWDArRdvRMYOKvAOban5Q7fUFx26GjNGy', 'dpOSyOQfsWrZ3jfASFXP07qLQ3RFyj4tGujsd57NisN38aw9O9UgMTY025doTs591drsrV8JV8LcGE', 'lTIoKCtp9nNfGKgNpnK9w7oAnbhuHqe4T3TEv7r0qxFPmCpsdBNKELrSBbiESrMppYfN4WfxHinurm'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, P3QNHTebhUTJn6Wgte6XhlSUgveTd3ige2yrBhaNzrxnt10B7R27wqWJVbiztnTiUxSPhCXLkaV7zt.cs	High entropy of concatenated method names: 'tl18V5cS3Xc5rsw4GwldtK5v56MwgIRlWmp8xT8K4g2xRB7AdDODnNOwL7o9IZDYjwCAvPSmS5pj4M', 'wJQ20Hcw6Xuyrx3MQNWCLixf6M05DCClT19YNXuApaGbQ6pb5yFRiTgbE3NeS9jaW4XMNNcX4FOeEz', 'oZcCo77IWP2hORto8yWhPgrbT2NwGtXf8TvDYfS7nxw6jM8M5PR4qJrMHdDDjSHVRL77kNnpm9CMhk', 'tP7bYTKPvk5wH1YeJzFu8', 'pqHY3NfyCS3dznIzEkOUm', 'gCVUzSOa7rMeTi2EcRQSo', 'VHq2D79g6kTnwUtWxR5EV', 'mICjSzNnshS5wVChAE627', 'pGLxCjIojLmtCQLZn0hdb', 'qbOyEvhQGfjK1JilGBAu5'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	High entropy of concatenated method names: 'g7yxGRGGBhln30VYH9hoUNeDM9a8wqcKYv0LfotVwUgtSubO6AyPgn83NX3JLQ1T3YfMqcYOi1Y4UcZTbxBHYPurBrAu3', 'RoOwIgv14BDSo8hGtE9pEEFolIBstnU9h01jfvlBjC3VQm6mOJgWIQpjGZz9g80svnJ4fJiI7bG7Qp0h8LjfMR3JVOZ8Q', 'fMfyv3oAp0Qgea1m7Vh2vGWifxW5CTNkNJ9GUOk2mkEetbSK5o0C3PCZ7OzlICXdJRTB0HthqVBTvOEgCbXRtsjW1KQu7', '_5JeouvyDslZtuG6BCaIPQrSo7jSWEB6rGqX8hhmRAj9xDvqUMJzCFjaKFzrmjX817dzEwaDt8tJ1qqpJmCYee77KcNC35', 'tcwDOXP34syeIdqExS5j0lXVgyyYSpOo2mhcj5EV94gerILMuLbX39gKHEjAoLhrPLJMIKCxLY8qS1pgyRsvjBe2o0qZR', 'sQuBskSrSGNBFWzCZb6dz6IbB3RGXNwP3fpj1yuNc4f1M5U9y88VsXcCiB9s9rZp8L1eFwofEf4Xau9LNgu2yqfIhKchJ', 'MAXkVEy7r7j1BeSaTaHejwcz1i38sxmfXzRYaL5YfjArQKpfgbZip26vFfYxrqSdrr0kaG9HqiVte7v49Nq1GV88vuB6V', '_6iQE2RKQgre0NUZWLbk3O12JxPeC0DLyHXqroMn14knw1wXGhauY1E2baaOshWJXKzNk4F6mEGWnqjhhdnv7J7CHbA2dd', 'lhcBTjpo9mqG1UF36bv8LJWNtL5S3cJPLBz2DIfYSEtCC1MTtB1BGw7XJLfxueobpbJBlQszWdUskIwHw5JBuHajw2wpC', 'HwbwHJIE59X7owMSlPF9bE1Ru5ns0IS8bRz6Lmo54dm6AyhfR1z9Qo5qRLF6cd2VSEEqnCffsCUmMEo6Fe6azSlsgePDQ'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	High entropy of concatenated method names: 'GQFHxjh4relEjLLVWukRRy65rvv3cviO2KluqrB3plnm6Tmkz4uO0Z0ZiyJ92MvgtmIPefhsrTWg0E0DkqVOrjH0qKHJb', 'CxtgTmXOqfN75RxTlbWgsCpCHMEUirCSRjlcrDfvKS9mnJhwuBoj2BueacLWEqDrLpV3OzXIqD9FE1ak7A6icJsDGZFsi', '_1ozH2Z5ekqbpcOfqPWp2gLWbxx1fxooB7eWHhy4uIiFpFwE0jiSzzVl7JoWbgdybaaQqxRYzCwqP85TgEebaMxJYGEtmO', 'HJWL2FSItf6nSqnjAb2hF1NwA0JUF5y2zzZMOz3g4Ef9PlKobhn0HN0wxK5x2fyQT00vuZsuZQv7v7YNiooanAj9ZQ3cj', '_56qdoKQcSObDwzryo2WJZroQdvi2irXbdJfZHmNsw7F9yEuNqkbgpWp8Zfvrov1eBcNuUMxNcJ1H0Z8mZUSahG6tk1J0T', 'N1mNFG5jM2F0LMozF1Vte4TVc6RiQAsuMLQYEfuzdna2TNJJ8a2fwLAatsPmgShGxHQYvbT5L0lYP1TgZoea2XWwdWnrL', 'mEFEr2TvvvKlIiBcYOvMFxd6XPfFPEjQhdsuH3JbmR1n8SIaktuktnzh9w9dSiA65VVju036W1UUPOMJYDODvGrWFrqst', 'U8Fq6qyNDteRbWr1vA3eO7jlWNWaEaMm4g249mDaWCWAPAIfyCpFWXn07HIDVOpMbYjl5yl2u2BSjUZtUWF253DPc51lv', 'A9GLzDs3uZXNhen59OriZpSyWBC0tqKAsqlrldctNZ5mPOJUqRQGMKSzx3oBTKKKOfIgRjzFsqxajTtHnjNc0SBYX25ce', 'aU7KkJkmKX9auy8bQt0uCCv2i5vLRqDy2oIGvl2Y13T76WXNGsjVKLFTqiYux1GuKziwFJeBYIh01Q5xnBGTuNcmuWFG5'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 55WGExtdPFTFcXPQCATisRiqB5DcSyba2zwYvXUE894St4doBFa2JUbinHIbyKpa8TjbcEQz5P9meu.cs	High entropy of concatenated method names: 'fBNcOtV6thM1vJWYdvU3j6IcK4ied4ujxXis5fhigtl0XEpk9U7lLxEzkNj5c2lfON3ktf051EnFK8', 'RO0RWVEgIVjnqI3AoBd8howWJ077tQAoYeytwbSlj4qenWq7ZYqUm9gs9TEdL0LneEMk1RvZ2XtAU8', 'XYmbYIIUG8HfEtRQcMlOGFOMjOzDkCQdwTDMWOvTQb9F1S33S8fMIJO3ZdEXW5S5drrMBMzfZWG4hZ', 'AA5FbMEmRF0Q2CfW2tRfIAmYj0KcHf7zEx565JF5ZDDFn2auEtiucGR3X7wdjiZPVtYzpQBoSYwvph', 'SaWSrGxCyrEY2MrnzdSpf', 'yxUzCYn4LCnrxOPTRt4KQ', '_2Kaa8xgdJvnAfArLUQaJi', '_7aWtHN4qXg8cpW65dJ7GP', 'RjOaJiRaNOf5I1wF3d33v', 'qUpfQP53LfvzNqo3FFlse'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ssgag3T7mIN41nJTdxiIlJDOyE3pMd5g6WEB7TgSwXVvrgjStRWBeAg5mJ8h87x3O364SxNZMwKgyL.cs	High entropy of concatenated method names: 'UypUUbau1ZinT0UXzYZxdvfrDzGWsmwg0AKw6yZFw0OLobdVIyDS5u7I0SVPS0tlutlHFt2K3glxFt', 'tsFnM0w5hNUPxZ2EvXnE1', 'IakdJ6fSfmI1pPLrEG00a', 'vSaJF76rzFsGFiak4a80N', 'j3BWlhAuCFRf19robiRmS'

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 2250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 23E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 43E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 63D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 5BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe TID: 7132	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe TID: 6032	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: cvtres.exe, 00000001.00000002.1780735464.000000000139F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KjCBSM7Ukv.exe, 00000000.00000002.1648896271.0000000000728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: cvtres.exe, 00000001.00000002.1781695360.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_0165284C CheckRemoteDebuggerPresent,

1_2_0165284C

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Users\user\Desktop\KjCBSM7Ukv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6752, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6752, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
172.67.146.180	www.file-drop.cc	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
www.file-drop.cc	172.67.146.180	true
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
gamemodz.duckdns.org	true	16%, Virustotal, Browse	unknown
https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf	false	12%, Virustotal, Browse	unknown
http://ip-api.com/line/?fields=hosting	false		high

AV Detection

Found malware configuration

Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["gamemodz.duckdns.org"], "Port": "6969", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Multi AV Scanner detection for domain / URL

Source: https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf	Virustotal: Detection: 11%	Perma Link
Source: gamemodz.duckdns.org	Virustotal: Detection: 16%	Perma Link
Source: https://www.file-drop.cc	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: KjCBSM7Ukv.exe

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: KjCBSM7Ukv.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: gamemodz.duckdns.org
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: 6969
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: KjCBSM7Ukv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.146.180:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: KjCBSM7Ukv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdbH source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: gamemodz.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /D/6829ab/Fizvmrd.vdf HTTP/1.1Host: www.file-drop.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /D/6829ab/Fizvmrd.vdf HTTP/1.1Host: www.file-drop.ccConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: www.file-drop.cc

Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000305C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000003064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting6
Source: cvtres.exe, 00000001.00000002.1780735464.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingy
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: KjCBSM7Ukv.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/#
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/2
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/6
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/9
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://discord.com/:
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000023E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.file-drop.cc
Source: KjCBSM7Ukv.exe	String found in binary or memory: https://www.file-drop.cc/D/6829ab/Fizvmrd.vdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 172.67.146.180:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_0225E058	0_2_0225E058
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_0225DDA0	0_2_0225DDA0
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063CD5F0	0_2_063CD5F0
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063B0026	0_2_063B0026
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Code function: 0_2_063B0040	0_2_063B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01658B58	1_2_01658B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01654A68	1_2_01654A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01654450	1_2_01654450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01659428	1_2_01659428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_016514F0	1_2_016514F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01658810	1_2_01658810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 1_2_01651D3A	1_2_01651D3A

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668

PE / OLE file has an invalid certificate

Source: KjCBSM7Ukv.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000244C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient69.exe4 vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.000000000295B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1648896271.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrnuhepyot.dll" vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient69.exe4 vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000000.1628006059.0000000000112000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedisc.exe^ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs KjCBSM7Ukv.exe
Source: KjCBSM7Ukv.exe	Binary or memory string: OriginalFilenamedisc.exe^ vs KjCBSM7Ukv.exe

Uses 32bit PE files

Source: KjCBSM7Ukv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, E82QoNmOZf4HIIO7HiT6rnL8gaPd4gt0PHOeqpPWp8SJWRqcriTPoZ8MmcOcvvlKl0bXiJNYBd7C70.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/6@2/2

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KjCBSM7Ukv.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\eqLVKldUxQjNG8e8

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c411a00f-13c8-4a21-8d29-c6fba7f78b72

Jump to behavior

Source: KjCBSM7Ukv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: KjCBSM7Ukv.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KjCBSM7Ukv.exe

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\KjCBSM7Ukv.exe "C:\Users\user\Desktop\KjCBSM7Ukv.exe"
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1668
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KjCBSM7Ukv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: KjCBSM7Ukv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1652553493.00000000040E8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002609000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1657555936.0000000004430000.00000004.08000000.00040000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: protobuf-net.pdb source: KjCBSM7Ukv.exe, 00000000.00000002.1661838396.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.pdbH source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Management.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WER40FF.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER40FF.tmp.dmp.4.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.WSVyfM0ChJOVLpU9fMrrRVS0Cv5ZipxF3pO9rhwZDcS3b94RAdFGFtbB6zFdnPZP0xAnL2coNlG3lZbXczAYO0BXlW0LN,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.kWBR6coCFSFhmQlzA1hS4AfR6makW3DGrLYcNuoElwbWKIpdsdJVB2nLwTo3JIOLmfukMWn3zXvq9hewFtQmN2FXebRRs,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.Sm0mG6RUiRc82r3rat7Uhndwu6MRhdFqruADkC4P8agtaJZIJFT90XqKlTeFCZLGuXP9c2U7pJTxE2SJ6K5IKUcozC1wi,BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH._4FVvlxj1muJ2j2gT5gTardfNJPjWRt5FPmRF6eD3TK4UlnI4sMtIqt6G2rBrz3lglCaXes9DLAlHNtUa4oloHvtjaxUHW,ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.WjkwG2AtdYKMwyDHETQcn9iKIlPBAgxbKuxoM8f1iCsewsYNtwW8EB1PleOpyAVFPvbZB2sOhTg3r8()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[2],ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.uru4pkMCStCbBsHEzDkpsE9qnv7FC49npd3yi7IGqH4OLXtUKs9cKdR8LCS6N9Gq1eJXDAZVixQeTJ(ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.lTIoKCtp9nNfGKgNpnK9w7oAnbhuHqe4T3TEv7r0qxFPmCpsdBNKELrSBbiESrMppYfN4WfxHinurm(hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hf5fbF5zMruJfnJSzvuy4Kn5nZCesPXn6aT9mkANIePnc8e63xC5wu0bUSIfFgzlT6Ss7LIh3YA3Ng[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: KjCBSM7Ukv.exe, Program.cs	.Net Code: PerformComplexCalculation System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.KjCBSM7Ukv.exe.5a90000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4110298.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: RoOwIgv14BDSo8hGtE9pEEFolIBstnU9h01jfvlBjC3VQm6mOJgWIQpjGZz9g80svnJ4fJiI7bG7Qp0h8LjfMR3JVOZ8Q System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: kn96RDglqorjf7OGrgep9jqrEo1y4IgqRA9YHkWPq9Ekr4zVOsaQ0HaxE5H8iaPg2FykMDjnnaHO2EI2K5hldnsFFSAuN System.AppDomain.Load(byte[])
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	.Net Code: kn96RDglqorjf7OGrgep9jqrEo1y4IgqRA9YHkWPq9Ekr4zVOsaQ0HaxE5H8iaPg2FykMDjnnaHO2EI2K5hldnsFFSAuN
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.KjCBSM7Ukv.exe.4430000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4359f38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.26950a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.26950a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4381f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5a30000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.4359f38.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.41602b8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1661567494.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662763939.00000000063D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.000000000268E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000004160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_01656A45 push eax; iretd

1_2_01656A69

Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, spIgdAVKzYKo3gxf35lM9RbEUi3MbpZ0iN4U4EiA4c6ZYFvFA5acMsAsK35OXv55Fwr1R3tXMeVnX2.cs	High entropy of concatenated method names: 'Ii4604e1aF6Pmp4xImMcZ8PMKyRJI9D6a3VKfhSWRoLouAz0Q8xa9sbER8iIYcSsu2OlU2oSmgg3Iv', 'GFSr5uvITDVIGWNdzKSjDNGAO5wWBZgBGyh3jJJK2EQkvCQB9gJNj2m53PupdkPBHzaMZBTcDJHG8G', 's7NEjslk17WSVL5yDBlcmn6itFjgFU19ql7Fi9gxoIXZKpbpalY50ZKe0MtqNhdVp9PZYm4jzJQRCm', 'rzVQXXgtq4PAhccyWUx7D', 'PSVwohbSHrh5WSLjPI9ej', 'YKIFgPJaSWNwbuxPhAmyS', 'uUWoFH4xYPbaN4R9FdF2E', 'ozryzmNgkB626nzKc7X1o', 'Ef2AkmRRyVaOyFvPx5J6b', 'VhRcstUTM0kosdfogxonO'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, BmbcNrp9UKDIVUXMDLIMRgdU6CWuOqCWzbQECkn78bNMFxwsPPgnTiGV9WQ7Tb6xuGgbkHFaCFja9nJFqeUQwrunePyOH.cs	High entropy of concatenated method names: 'CAFZozUzf9Zd9t63w0xWiFi6yZQEPZxaKSXIcDbF9lbpVMk18EtdZZjPXR0ECx9wYCkxmag8iQ7epV', 'iuj4zxKbRI10MRD9RzKMsQJ5T7z2h9d96xVcHrrO4ebpdq0YKA5IGZlWcCa1rqEtAbv7HXwaXmBY0F', 'MWYeSkfnK6mrCQoOnzgmvfWxzkBef4zopZtq5A6KuE3NON6GvTxhVrbRnH7HsboJ5zlKltmLXupcqh', 'UBD34Awc8fXqRYB4vgJIeYcOuj7L5aDcphLVmd8DQirXQj3dT76fGGtqNQvANuy3ZIDum0baCXr5NV'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, qvVlJlZDr0Sny4F1G7zPVbAP6Rrup8xZYlnUw9SkLn7CMt6IUnuWp6Hlhn2GZuG8uejZTQ08XJnq0FTTSkW9BF857pvsL.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'LA7BoHfi5DwtTjPwOvozPPVSvTHG3Pl41hqOjU3wSK6ALraDQFm89fjn88oNfJEHSWMzH4t5Crm9hm', 'cQJSs6ZpsufvX3nQkVi2ZVVnsgPooYAAXZ3IAezqIhVACF4jaoeUQ4zlwkbyULrUB7D8uM8ZilRUUZ', 'fY8CCoJmq5u9nNULOwBcbWL3erX2angSLNECZpI8VKYEdkkI9kfe8qtxBHnGtKtWdX6H2X0N5umKdE', 'TJTPCBfsp0vqUuAGUPTeIkBdFCYRVaK7d5GEIYJLJb5NIcKSYVcaiFc0n5TyOLEbiOZz4OIa5JQFz9'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Q60Zn6xFubhiwuraExcDn2ijwJuxRg2iSSxBEamkXk2UfRlsW1D3zHfmTK71LcmEa3qUT7YU2p7u1zipHXSlC4Ra6p139.cs	High entropy of concatenated method names: 'HaObHHWE8qI9AyyUsJRN63sIdsJUqjLJohPEVToH4P01xshDjjCwmtVsRRRqiED7AsMN95kmhOqOUZ5ABRHcKYflNIIpr', 'FH2YKFKToWuD3gmHslCqJkxfa7Hz6WIsu4pzu2P3ITxitaqWYVoAOEROJYe00yo8s4xJq51Pbhpo7iOMb7hjfi4CsfOdU', 'es35mn0WJ4zF8Vr6DuUnFJ0NrzYLrFz1rIqmwA8cTwQEzl6W4wawfJwKsx6QI3X6vt3iAWCVhqjYhGXuJ4oewXAegn7zq', 'dIX0jLlq5U7anG0ipRxONtGXXQKiSli0aT08HqPcznaRquY6pSVfTUzF3e97D3BfFWCLQVJ557gggf7gHkHqTv1K9IDvQ', 'HwvzSV5EBbFxjF5HHxRSFYcjMTljuiBxaNM8suqTzIEIYGHEwoYW8AblmP5yywa2I0RGkmwkc99QAifyFKbPcSlY3A9cn', 'mjFSlwdyYRm925ObpeH0mZ4yDMqS0qRkd3FLwBkBNczIdDf07UIjbWB19xTLLVmEtyQhEhrTumyJEKvITDnbS3ND4QewW', '_3B60ygMVKkaPdK0z9ex0IjUvODfg1vDunF86VgZ4Dye2KY1dlFfU37PHdboP7MrSq2yxOQ4g3OuqKLpWzdJnCmBdU1pgm', 'jWaKJ1HSmE75kaPM9Af4Otc2eFYbq72WuFIyxlFxyaubJ16nYOJq0KzDl15oVDph49FKI3D7R867qId7tuYRZHWlnd4F9', 'OawLwhLLXYt0qplwMJRHrJdSkeKybSVPAujJ8RPDUDVAE7VaHB3jj87R11jhE2N2JdIoFR5mLT2UQdPWtC7DG22tfGLFo', '_3YPs4hu77fC9cGRD2OQExWxy2nWidHkWf5ER8A3Vu9NVwOeIMdjicVghFpm6495mzGNQPpuNJR9W3u6LedyCkBLz2E1XX'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, E82QoNmOZf4HIIO7HiT6rnL8gaPd4gt0PHOeqpPWp8SJWRqcriTPoZ8MmcOcvvlKl0bXiJNYBd7C70.cs	High entropy of concatenated method names: '_4MAYSCLZUfLXWr1ZAK5m7bLTsxxqqrlKu9j6IUXetevgd0DKXEO6h26Udi7N8FniVFHuAOmg5omZp8', 'Ig2WOVZ7Lq4qdvIY2738KY2KsJVhhqSlvVo5ww8MlZJU9VwrlaE9RMrvAb8vYWWI33sWJisFioA6hX', '_6Ktp9sMYX59TEdHmoSCYBmuo3hFJGtwHCsLKE1lJEBmiTkbdtnXmfoVuKG8uvTckzoIsI22kj5VNOQ', 'J38KPaUZs8WFqDEAAtxl7', 'AezvXVkcgOdEjBUupUjTU', '_7ZDlvuXA86ghEbB5pIFb5', 'iLLWF82zNmMs7PveewK2g', '_0f5XPvTU8RyWxT43BAQad', 'NpHvfhuulRu4kHZ8roRkK', 'l5zameYtMluC4ZgnUL3el'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ICNhUEC49XYePafhHkU9bNM74HFLRmpWda3g4FlCDSetuYw9rAjWICE3BOqjQyOJKckJ79LNQ2mCW4.cs	High entropy of concatenated method names: 'ZhHTeSxHzdBN8EybO6wyBxlfgloueQ0b8HB4FZc6DX10G5yX2FP4xN6t7kygnEFifmVfT2L7glnJ80', '_70BNbPfVJnNiDoL33NQTLiTqGpyHGc9hagv8xPn14nNWaqOHaMexLc1xrtBRGOXtbvjNM2JHLI5dRO', '_3Ckb6LGe4cwpnt88kptwxJeE534iDBG0j62SakM0yC5wIGjbksRmgQV3vj0WnZyy8Dim9C6w2WjHOo', 'U5exNRbcJowQCzw78hBMEDC9BHpw8vdQQGGAY8qZx8TTGuuR2mv9o5X79TglhEbAg37RgD6SCrE6um', 'qnkIvk8wZscjA3MPrvLVl1aYLsppqdkzDMk8gXDUwWnH3iICb3jPURzs4Q3PdiywkhCsNJFzsdsfRf', 'uHXYrDBo9MKqVciYsC6qAoAjPS6bNHmKJdcvUNx8ZL2miSWccPVRjfNdqiXBVBR5sTVavIisRXWW8D', 'srVuSX3Me0cfZb3KBx47W54ufOyFvt9eR72Cd0FGUlcw5bm80FvbhGfUDiIwO8BLMbAjSwAa5A3E12', 'tWBf4S8hRKFmfsbKtvvtAbBtuDKCxlNUBHOuSH5TR1DLYnWDArRdvRMYOKvAOban5Q7fUFx26GjNGy', 'dpOSyOQfsWrZ3jfASFXP07qLQ3RFyj4tGujsd57NisN38aw9O9UgMTY025doTs591drsrV8JV8LcGE', 'lTIoKCtp9nNfGKgNpnK9w7oAnbhuHqe4T3TEv7r0qxFPmCpsdBNKELrSBbiESrMppYfN4WfxHinurm'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, P3QNHTebhUTJn6Wgte6XhlSUgveTd3ige2yrBhaNzrxnt10B7R27wqWJVbiztnTiUxSPhCXLkaV7zt.cs	High entropy of concatenated method names: 'tl18V5cS3Xc5rsw4GwldtK5v56MwgIRlWmp8xT8K4g2xRB7AdDODnNOwL7o9IZDYjwCAvPSmS5pj4M', 'wJQ20Hcw6Xuyrx3MQNWCLixf6M05DCClT19YNXuApaGbQ6pb5yFRiTgbE3NeS9jaW4XMNNcX4FOeEz', 'oZcCo77IWP2hORto8yWhPgrbT2NwGtXf8TvDYfS7nxw6jM8M5PR4qJrMHdDDjSHVRL77kNnpm9CMhk', 'tP7bYTKPvk5wH1YeJzFu8', 'pqHY3NfyCS3dznIzEkOUm', 'gCVUzSOa7rMeTi2EcRQSo', 'VHq2D79g6kTnwUtWxR5EV', 'mICjSzNnshS5wVChAE627', 'pGLxCjIojLmtCQLZn0hdb', 'qbOyEvhQGfjK1JilGBAu5'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 5wiSm7EBxTiBGFt8wGsQtht05lGypg973Cwdja1k8SQ7eYKeLIebuVUnvH5O81s6OtAntxFmjFw4gZzvtN6yzBZyRxuCw.cs	High entropy of concatenated method names: 'g7yxGRGGBhln30VYH9hoUNeDM9a8wqcKYv0LfotVwUgtSubO6AyPgn83NX3JLQ1T3YfMqcYOi1Y4UcZTbxBHYPurBrAu3', 'RoOwIgv14BDSo8hGtE9pEEFolIBstnU9h01jfvlBjC3VQm6mOJgWIQpjGZz9g80svnJ4fJiI7bG7Qp0h8LjfMR3JVOZ8Q', 'fMfyv3oAp0Qgea1m7Vh2vGWifxW5CTNkNJ9GUOk2mkEetbSK5o0C3PCZ7OzlICXdJRTB0HthqVBTvOEgCbXRtsjW1KQu7', '_5JeouvyDslZtuG6BCaIPQrSo7jSWEB6rGqX8hhmRAj9xDvqUMJzCFjaKFzrmjX817dzEwaDt8tJ1qqpJmCYee77KcNC35', 'tcwDOXP34syeIdqExS5j0lXVgyyYSpOo2mhcj5EV94gerILMuLbX39gKHEjAoLhrPLJMIKCxLY8qS1pgyRsvjBe2o0qZR', 'sQuBskSrSGNBFWzCZb6dz6IbB3RGXNwP3fpj1yuNc4f1M5U9y88VsXcCiB9s9rZp8L1eFwofEf4Xau9LNgu2yqfIhKchJ', 'MAXkVEy7r7j1BeSaTaHejwcz1i38sxmfXzRYaL5YfjArQKpfgbZip26vFfYxrqSdrr0kaG9HqiVte7v49Nq1GV88vuB6V', '_6iQE2RKQgre0NUZWLbk3O12JxPeC0DLyHXqroMn14knw1wXGhauY1E2baaOshWJXKzNk4F6mEGWnqjhhdnv7J7CHbA2dd', 'lhcBTjpo9mqG1UF36bv8LJWNtL5S3cJPLBz2DIfYSEtCC1MTtB1BGw7XJLfxueobpbJBlQszWdUskIwHw5JBuHajw2wpC', 'HwbwHJIE59X7owMSlPF9bE1Ru5ns0IS8bRz6Lmo54dm6AyhfR1z9Qo5qRLF6cd2VSEEqnCffsCUmMEo6Fe6azSlsgePDQ'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, Lof5uhYcyFa0fioPYjKPe99cqLRTqzxK8RWKufv2mhMg2yKOdlgd1RBJbAkO4QLvObNqtKI8efoDiLDVG14Z07NKOIjFM.cs	High entropy of concatenated method names: 'GQFHxjh4relEjLLVWukRRy65rvv3cviO2KluqrB3plnm6Tmkz4uO0Z0ZiyJ92MvgtmIPefhsrTWg0E0DkqVOrjH0qKHJb', 'CxtgTmXOqfN75RxTlbWgsCpCHMEUirCSRjlcrDfvKS9mnJhwuBoj2BueacLWEqDrLpV3OzXIqD9FE1ak7A6icJsDGZFsi', '_1ozH2Z5ekqbpcOfqPWp2gLWbxx1fxooB7eWHhy4uIiFpFwE0jiSzzVl7JoWbgdybaaQqxRYzCwqP85TgEebaMxJYGEtmO', 'HJWL2FSItf6nSqnjAb2hF1NwA0JUF5y2zzZMOz3g4Ef9PlKobhn0HN0wxK5x2fyQT00vuZsuZQv7v7YNiooanAj9ZQ3cj', '_56qdoKQcSObDwzryo2WJZroQdvi2irXbdJfZHmNsw7F9yEuNqkbgpWp8Zfvrov1eBcNuUMxNcJ1H0Z8mZUSahG6tk1J0T', 'N1mNFG5jM2F0LMozF1Vte4TVc6RiQAsuMLQYEfuzdna2TNJJ8a2fwLAatsPmgShGxHQYvbT5L0lYP1TgZoea2XWwdWnrL', 'mEFEr2TvvvKlIiBcYOvMFxd6XPfFPEjQhdsuH3JbmR1n8SIaktuktnzh9w9dSiA65VVju036W1UUPOMJYDODvGrWFrqst', 'U8Fq6qyNDteRbWr1vA3eO7jlWNWaEaMm4g249mDaWCWAPAIfyCpFWXn07HIDVOpMbYjl5yl2u2BSjUZtUWF253DPc51lv', 'A9GLzDs3uZXNhen59OriZpSyWBC0tqKAsqlrldctNZ5mPOJUqRQGMKSzx3oBTKKKOfIgRjzFsqxajTtHnjNc0SBYX25ce', 'aU7KkJkmKX9auy8bQt0uCCv2i5vLRqDy2oIGvl2Y13T76WXNGsjVKLFTqiYux1GuKziwFJeBYIh01Q5xnBGTuNcmuWFG5'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, 55WGExtdPFTFcXPQCATisRiqB5DcSyba2zwYvXUE894St4doBFa2JUbinHIbyKpa8TjbcEQz5P9meu.cs	High entropy of concatenated method names: 'fBNcOtV6thM1vJWYdvU3j6IcK4ied4ujxXis5fhigtl0XEpk9U7lLxEzkNj5c2lfON3ktf051EnFK8', 'RO0RWVEgIVjnqI3AoBd8howWJ077tQAoYeytwbSlj4qenWq7ZYqUm9gs9TEdL0LneEMk1RvZ2XtAU8', 'XYmbYIIUG8HfEtRQcMlOGFOMjOzDkCQdwTDMWOvTQb9F1S33S8fMIJO3ZdEXW5S5drrMBMzfZWG4hZ', 'AA5FbMEmRF0Q2CfW2tRfIAmYj0KcHf7zEx565JF5ZDDFn2auEtiucGR3X7wdjiZPVtYzpQBoSYwvph', 'SaWSrGxCyrEY2MrnzdSpf', 'yxUzCYn4LCnrxOPTRt4KQ', '_2Kaa8xgdJvnAfArLUQaJi', '_7aWtHN4qXg8cpW65dJ7GP', 'RjOaJiRaNOf5I1wF3d33v', 'qUpfQP53LfvzNqo3FFlse'
Source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, ssgag3T7mIN41nJTdxiIlJDOyE3pMd5g6WEB7TgSwXVvrgjStRWBeAg5mJ8h87x3O364SxNZMwKgyL.cs	High entropy of concatenated method names: 'UypUUbau1ZinT0UXzYZxdvfrDzGWsmwg0AKw6yZFw0OLobdVIyDS5u7I0SVPS0tlutlHFt2K3glxFt', 'tsFnM0w5hNUPxZ2EvXnE1', 'IakdJ6fSfmI1pPLrEG00a', 'vSaJF76rzFsGFiak4a80N', 'j3BWlhAuCFRf19robiRmS'

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, KjCBSM7Ukv.exe, 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.1781695360.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 2250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 23E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 43E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 63D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Memory allocated: 5BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe TID: 7132	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe TID: 6032	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: cvtres.exe, 00000001.00000002.1780735464.000000000139F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KjCBSM7Ukv.exe, 00000000.00000002.1648896271.0000000000728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: cvtres.exe, 00000001.00000002.1781695360.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: KjCBSM7Ukv.exe, 00000000.00000002.1650015728.0000000002650000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Code function: 1_2_0165284C CheckRemoteDebuggerPresent,

1_2_0165284C

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Users\user\Desktop\KjCBSM7Ukv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KjCBSM7Ukv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6752, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3ec0cb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.5570000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.3a10c38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.39e8c18.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1658667016.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.0000000003EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1652553493.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KjCBSM7Ukv.exe.276bd60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1780455840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1650015728.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KjCBSM7Ukv.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 6752, type: MEMORYSTR

ID:	1428548
Product:	CloudBasic
Start time:	07:35:11
Start date:	19.04.2024
Sample:	KjCBSM7Ukv.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fe7c4b36fca4fdf53789979a4a09c880
SHA1:	89caf7f3b9f4d7d732ade5593e1958f6f025afa1
SHA256:	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cvtres.exe_9cebbb35099493e8eef666c73a0984e3abb1_c414e931_7578e924-5677-4055-9699-9b04449069e8\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	D547B011FE026B1DA6A8BBC6EE0E55AA	8C88F3D6572EE52FD20C9014573E2B0E34767F5A	27B54146C4A360822642F7F75602F973C8C3FF1947261688A95E6D2CCCCFD15B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40FF.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 19 05:36:04 2024, 0x1205a4 type	0F41BE457201853442AC16B0D1F526E1	DAD08EA7BC9AC45D4967C1062B72E9A28D87AA08	9C1EECDBE7AA7D57A00AC098441A827A8EAACEE881CC4D40B9B8B83196BDDB81
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42E5.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	0CC0D87EC7732913C490C0B9304150E4	D8AB1F047F5E44916A4793AC26430E3254DC575E	3589241A59EACB61F4BB87CB57337CA45653FBA5A10B4DFBBB3DD6A1022B7F8E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4315.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3A718B7942C53890924E033C58A150D4	8D34217C87ADB9DF3EE15F91FE1572386CAAAD84	63C2A08D65206A711C3B261E6694074C126E144B16EB1F63380CFDC38800854E
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KjCBSM7Ukv.exe.log	ASCII text, with CRLF line terminators	D5F0E53F52AB8FA3BEB3D61F6DD7E35C	1FCEEB1CA14EAABC17D427180A436779E5834096	6D8230D75A1F0383C58AF007EAFE73519258929DB9D89F1B73E8B461D50DE639
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	849F975797998DBAA8EB9251176CDE59	F7DDE9DEB5AE5EEF1F2EB8EC196B98D2D0B04745	89F432AAED731BE4432BA748179ECDF3106A5F88D55B05F7A68F2974AC7DE79B

Windows Analysis Report
KjCBSM7Ukv.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report KjCBSM7Ukv.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
KjCBSM7Ukv.exe

Malware Threat Intel
Provided by