Edit tour

Windows Analysis Report
x3xqeKOaAd.exe

Overview

General Information

Sample name:	x3xqeKOaAd.exe renamed because original name is a hash value
Original sample name:	0e96337c9c239e6151b82cd4caca508f1235787b14024e22f75606901016b232.exe
Analysis ID:	1633526
MD5:	149bc9b44d2de9b5caeb4b215058b07a
SHA1:	acfcc6e91f1e5c82a408ede82ac43f46979df2e8
SHA256:	0e96337c9c239e6151b82cd4caca508f1235787b14024e22f75606901016b232
Tags:	exeVenomRATuser-adrian__luca
Infos:

Detection

AsyncRAT, VenomRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Connects to a pastebin service (likely for C&C)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

x3xqeKOaAd.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\x3xqeKOaAd.exe" MD5: 149BC9B44D2DE9B5CAEB4B215058B07A)

powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8076 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7696 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7812 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7820 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

xEnNgUs.exe (PID: 7896 cmdline: C:\Users\user\AppData\Roaming\xEnNgUs.exe MD5: 149BC9B44D2DE9B5CAEB4B215058B07A)

schtasks.exe (PID: 7188 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7304 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

svchost.exe (PID: 7952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Pastebin Link": "https://pastebin.com/raw/QEnWNXJJ", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Install": "false", "Mutex": "orsumlkwoyci", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "LdOf21NUHwGkz1FBnlqP3lXC2OZOjK6ARlWAgW4uzaVcDXPb3YzExKwPHt7wUqWDdXuQAvdJWVbAh+If7MYred70dWkQ01Rq106fuJV4Fw9myGH9/ch7XBoRnJPQ03AoqO1uNyJ1nrq6916ZlrcDdddSeD6LIMUJogmCwpqz2y4="}

Threatname: AsyncRAT

{"Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Mutex": "orsumlkwoyci", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "LdOf21NUHwGkz1FBnlqP3lXC2OZOjK6ARlWAgW4uzaVcDXPb3YzExKwPHt7wUqWDdXuQAvdJWVbAh+If7MYred70dWkQ01Rq106fuJV4Fw9myGH9/ch7XBoRnJPQ03AoqO1uNyJ1nrq6916ZlrcDdddSeD6LIMUJogmCwpqz2y4=", "External_config_on_Pastebin": "https://pastebin.com/raw/QEnWNXJJ"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: x3xqeKOaAd.exe PID: 7552	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: x3xqeKOaAd.exe PID: 7552	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xEnNgUs.exe PID: 7896	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: xEnNgUs.exe PID: 7896	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 7304	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xd55a:$str03: Po_ng 0xc138:$str04: Pac_ket 0xdd00:$str05: Perfor_mance 0xdd44:$str06: Install_ed 0x86cd:$str07: get_IsConnected 0x99c5:$str08: get_ActivatePo_ng 0xaa94:$str09: isVM_by_wim_temper 0xd576:$str10: save_Plugin 0xd824:$str11: timeout 3 > NUL 0xd8ba:$str12: ProcessHacker.exe 0xdaac:$str13: Select * from Win32_CacheMemory
0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xdaac:$q1: Select * from Win32_CacheMemory 0xdaec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb3a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb88:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
15.2.MSBuild.exe.400000.0.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf35a:$str03: Po_ng 0xdf38:$str04: Pac_ket 0xfb00:$str05: Perfor_mance 0xfb44:$str06: Install_ed 0xa4cd:$str07: get_IsConnected 0xb7c5:$str08: get_ActivatePo_ng 0xc894:$str09: isVM_by_wim_temper 0xf376:$str10: save_Plugin 0xf624:$str11: timeout 3 > NUL 0xf6ba:$str12: ProcessHacker.exe 0xf8ac:$str13: Select * from Win32_CacheMemory
15.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8ac:$q1: Select * from Win32_CacheMemory 0xf8ec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf93a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf988:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.xEnNgUs.exe.2f46550.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.xEnNgUs.exe.2f46550.1.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xd55a:$str03: Po_ng 0xc138:$str04: Pac_ket 0xdd00:$str05: Perfor_mance 0xdd44:$str06: Install_ed 0x86cd:$str07: get_IsConnected 0x99c5:$str08: get_ActivatePo_ng 0xaa94:$str09: isVM_by_wim_temper 0xd576:$str10: save_Plugin 0xd824:$str11: timeout 3 > NUL 0xd8ba:$str12: ProcessHacker.exe 0xdaac:$str13: Select * from Win32_CacheMemory
9.2.xEnNgUs.exe.2f46550.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xdaac:$q1: Select * from Win32_CacheMemory 0xdaec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb3a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb88:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.xEnNgUs.exe.2f33c6c.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.xEnNgUs.exe.2f33c6c.2.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xd55a:$str03: Po_ng 0xc138:$str04: Pac_ket 0xdd00:$str05: Perfor_mance 0xdd44:$str06: Install_ed 0x86cd:$str07: get_IsConnected 0x99c5:$str08: get_ActivatePo_ng 0xaa94:$str09: isVM_by_wim_temper 0xd576:$str10: save_Plugin 0xd824:$str11: timeout 3 > NUL 0xd8ba:$str12: ProcessHacker.exe 0xdaac:$str13: Select * from Win32_CacheMemory
9.2.xEnNgUs.exe.2f33c6c.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xdaac:$q1: Select * from Win32_CacheMemory 0xdaec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb3a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb88:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.x3xqeKOaAd.exe.2eb0640.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.x3xqeKOaAd.exe.2eb0640.1.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xd55a:$str03: Po_ng 0xc138:$str04: Pac_ket 0xdd00:$str05: Perfor_mance 0xdd44:$str06: Install_ed 0x86cd:$str07: get_IsConnected 0x99c5:$str08: get_ActivatePo_ng 0xaa94:$str09: isVM_by_wim_temper 0xd576:$str10: save_Plugin 0xd824:$str11: timeout 3 > NUL 0xd8ba:$str12: ProcessHacker.exe 0xdaac:$str13: Select * from Win32_CacheMemory
0.2.x3xqeKOaAd.exe.2eb0640.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xdaac:$q1: Select * from Win32_CacheMemory 0xdaec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xdb3a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xdb88:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.xEnNgUs.exe.2f46550.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.xEnNgUs.exe.2f46550.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf35a:$str03: Po_ng 0x22df6:$str03: Po_ng 0xdf38:$str04: Pac_ket 0x219d4:$str04: Pac_ket 0xfb00:$str05: Perfor_mance 0x2359c:$str05: Perfor_mance 0xfb44:$str06: Install_ed 0x235e0:$str06: Install_ed 0xa4cd:$str07: get_IsConnected 0x1df69:$str07: get_IsConnected 0xb7c5:$str08: get_ActivatePo_ng 0x1f261:$str08: get_ActivatePo_ng 0xc894:$str09: isVM_by_wim_temper 0x20330:$str09: isVM_by_wim_temper 0xf376:$str10: save_Plugin 0x22e12:$str10: save_Plugin 0xf624:$str11: timeout 3 > NUL 0x230c0:$str11: timeout 3 > NUL 0xf6ba:$str12: ProcessHacker.exe 0x23156:$str12: ProcessHacker.exe 0xf8ac:$str13: Select * from Win32_CacheMemory
9.2.xEnNgUs.exe.2f46550.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8ac:$q1: Select * from Win32_CacheMemory 0x23348:$q1: Select * from Win32_CacheMemory 0xf8ec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x23388:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf93a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x233d6:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf988:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x23424:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf35a:$str03: Po_ng 0x21c3e:$str03: Po_ng 0x356da:$str03: Po_ng 0xdf38:$str04: Pac_ket 0x2081c:$str04: Pac_ket 0x342b8:$str04: Pac_ket 0xfb00:$str05: Perfor_mance 0x223e4:$str05: Perfor_mance 0x35e80:$str05: Perfor_mance 0xfb44:$str06: Install_ed 0x22428:$str06: Install_ed 0x35ec4:$str06: Install_ed 0xa4cd:$str07: get_IsConnected 0x1cdb1:$str07: get_IsConnected 0x3084d:$str07: get_IsConnected 0xb7c5:$str08: get_ActivatePo_ng 0x1e0a9:$str08: get_ActivatePo_ng 0x31b45:$str08: get_ActivatePo_ng 0xc894:$str09: isVM_by_wim_temper 0x1f178:$str09: isVM_by_wim_temper 0x32c14:$str09: isVM_by_wim_temper
9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8ac:$q1: Select * from Win32_CacheMemory 0x22190:$q1: Select * from Win32_CacheMemory 0x35c2c:$q1: Select * from Win32_CacheMemory 0xf8ec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221d0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x35c6c:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf93a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x2221e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x35cba:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf988:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2226c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x35d08:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf35a:$str03: Po_ng 0x21c3e:$str03: Po_ng 0x36da2:$str03: Po_ng 0xdf38:$str04: Pac_ket 0x2081c:$str04: Pac_ket 0x35980:$str04: Pac_ket 0xfb00:$str05: Perfor_mance 0x223e4:$str05: Perfor_mance 0x37548:$str05: Perfor_mance 0xfb44:$str06: Install_ed 0x22428:$str06: Install_ed 0x3758c:$str06: Install_ed 0xa4cd:$str07: get_IsConnected 0x1cdb1:$str07: get_IsConnected 0x31f15:$str07: get_IsConnected 0xb7c5:$str08: get_ActivatePo_ng 0x1e0a9:$str08: get_ActivatePo_ng 0x3320d:$str08: get_ActivatePo_ng 0xc894:$str09: isVM_by_wim_temper 0x1f178:$str09: isVM_by_wim_temper 0x342dc:$str09: isVM_by_wim_temper
0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8ac:$q1: Select * from Win32_CacheMemory 0x22190:$q1: Select * from Win32_CacheMemory 0x372f4:$q1: Select * from Win32_CacheMemory 0xf8ec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x221d0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x37334:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf93a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x2221e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x37382:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf988:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x2226c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x373d0:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack	rat_win_dcrat_qwqdanchun	Find DcRAT samples (qwqdanchun) based on specific strings	Sekoia.io	0xf35a:$str03: Po_ng 0x244be:$str03: Po_ng 0xdf38:$str04: Pac_ket 0x2309c:$str04: Pac_ket 0xfb00:$str05: Perfor_mance 0x24c64:$str05: Perfor_mance 0xfb44:$str06: Install_ed 0x24ca8:$str06: Install_ed 0xa4cd:$str07: get_IsConnected 0x1f631:$str07: get_IsConnected 0xb7c5:$str08: get_ActivatePo_ng 0x20929:$str08: get_ActivatePo_ng 0xc894:$str09: isVM_by_wim_temper 0x219f8:$str09: isVM_by_wim_temper 0xf376:$str10: save_Plugin 0x244da:$str10: save_Plugin 0xf624:$str11: timeout 3 > NUL 0x24788:$str11: timeout 3 > NUL 0xf6ba:$str12: ProcessHacker.exe 0x2481e:$str12: ProcessHacker.exe 0xf8ac:$str13: Select * from Win32_CacheMemory
0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xf8ac:$q1: Select * from Win32_CacheMemory 0x24a10:$q1: Select * from Win32_CacheMemory 0xf8ec:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x24a50:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xf93a:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x24a9e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xf988:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x24aec:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x3xqeKOaAd.exe", ParentImage: C:\Users\user\Desktop\x3xqeKOaAd.exe, ParentProcessId: 7552, ParentProcessName: x3xqeKOaAd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe", ProcessId: 7668, ProcessName: powershell.exe

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.20.4.235, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7840, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49711

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xEnNgUs.exe, ParentImage: C:\Users\user\AppData\Roaming\xEnNgUs.exe, ParentProcessId: 7896, ParentProcessName: xEnNgUs.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp", ProcessId: 7188, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\x3xqeKOaAd.exe", ParentImage: C:\Users\user\Desktop\x3xqeKOaAd.exe, ParentProcessId: 7552, ParentProcessName: x3xqeKOaAd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp", ProcessId: 7696, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\x3xqeKOaAd.exe", ParentImage: C:\Users\user\Desktop\x3xqeKOaAd.exe, ParentProcessId: 7552, ParentProcessName: x3xqeKOaAd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe", ProcessId: 7668, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7952, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\x3xqeKOaAd.exe", ParentImage: C:\Users\user\Desktop\x3xqeKOaAd.exe, ParentProcessId: 7552, ParentProcessName: x3xqeKOaAd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp", ProcessId: 7696, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T12:56:43.948048+0100	2803305	3	Unknown Traffic	192.168.2.4	49718	104.20.4.235	443	TCP
2025-03-10T12:56:53.081678+0100	2803305	3	Unknown Traffic	192.168.2.4	49723	104.20.4.235	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x3xqeKOaAd.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe

Avira: detection malicious, Label: TR/AD.Nekark.lkcuf

Found malware configuration

Source: 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Mutex": "orsumlkwoyci", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "LdOf21NUHwGkz1FBnlqP3lXC2OZOjK6ARlWAgW4uzaVcDXPb3YzExKwPHt7wUqWDdXuQAvdJWVbAh+If7MYred70dWkQ01Rq106fuJV4Fw9myGH9/ch7XBoRnJPQ03AoqO1uNyJ1nrq6916ZlrcDdddSeD6LIMUJogmCwpqz2y4=", "External_config_on_Pastebin": "https://pastebin.com/raw/QEnWNXJJ"}
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	Malware Configuration Extractor: VenomRAT {"Pastebin Link": "https://pastebin.com/raw/QEnWNXJJ", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Install": "false", "Mutex": "orsumlkwoyci", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "LdOf21NUHwGkz1FBnlqP3lXC2OZOjK6ARlWAgW4uzaVcDXPb3YzExKwPHt7wUqWDdXuQAvdJWVbAh+If7MYred70dWkQ01Rq106fuJV4Fw9myGH9/ch7XBoRnJPQ03AoqO1uNyJ1nrq6916ZlrcDdddSeD6LIMUJogmCwpqz2y4="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Virustotal: Detection: 75%			Perma Link

Multi AV Scanner detection for submitted file

Source: x3xqeKOaAd.exe	Virustotal: Detection: 75%			Perma Link
Source: x3xqeKOaAd.exe	ReversingLabs: Detection: 68%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: null
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: null
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: Venom RAT + HVNC + Stealer + Grabber v6.0.3
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: false
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: orsumlkwoyci
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: LdOf21NUHwGkz1FBnlqP3lXC2OZOjK6ARlWAgW4uzaVcDXPb3YzExKwPHt7wUqWDdXuQAvdJWVbAh+If7MYred70dWkQ01Rq106fuJV4Fw9myGH9/ch7XBoRnJPQ03AoqO1uNyJ1nrq6916ZlrcDdddSeD6LIMUJogmCwpqz2y4=
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: https://pastebin.com/raw/QEnWNXJJ
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: false
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: BEST
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: false
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack	String decryptor: false

Source: x3xqeKOaAd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49711 version: TLS 1.2

Source: x3xqeKOaAd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: STqfW.pdb source: x3xqeKOaAd.exe, xEnNgUs.exe.0.dr
Source:	Binary string: STqfW.pdbSHA256 source: x3xqeKOaAd.exe, xEnNgUs.exe.0.dr

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.4:49713 -> 217.138.204.42:61626

Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49723 -> 104.20.4.235:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49718 -> 104.20.4.235:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42
Source: unknown	TCP traffic detected without corresponding DNS query: 217.138.204.42

Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/QEnWNXJJ HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog

Source: svchost.exe, 0000000A.00000002.2860855615.000001310CC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CA38000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CA38000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CA38000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CA6D000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.10.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: MSBuild.exe, 00000008.00000002.3636438224.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002956000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: x3xqeKOaAd.exe, 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002813000.00000004.00000800.00020000.00000000.sdmp, xEnNgUs.exe, 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: x3xqeKOaAd.exe, 00000000.00000002.1222797973.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 0000000A.00000003.1204154330.000001310CAE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: MSBuild.exe, 00000008.00000002.3636438224.0000000002813000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.00000000029B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002A79000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002956000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002C7B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002AF5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.3636438224.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: MSBuild.exe, 0000000F.00000002.1265392973.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/QEnWNXJJ

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x3xqeKOaAd.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xEnNgUs.exe PID: 7896, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7304, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE	Matched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00C032C8 NtProtectVirtualMemory,		8_2_00C032C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00C02E73 NtProtectVirtualMemory,		8_2_00C02E73

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_01333E18	0_2_01333E18
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_0133E054	0_2_0133E054
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_01336F9B	0_2_01336F9B
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076EB7B0	0_2_076EB7B0
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E3630	0_2_076E3630
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E4D02	0_2_076E4D02
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076EB7A0	0_2_076EB7A0
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076EF0E0	0_2_076EF0E0
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E7E60	0_2_076E7E60
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E7E50	0_2_076E7E50
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E6EE9	0_2_076E6EE9
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076EECA8	0_2_076EECA8
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E7B61	0_2_076E7B61
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076E7B70	0_2_076E7B70
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_076EE86A	0_2_076EE86A
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_07874C29	0_2_07874C29
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_078711E8	0_2_078711E8
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_078711F8	0_2_078711F8
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_07870848	0_2_07870848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00C026F8	8_2_00C026F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00C026E7	8_2_00C026E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00C02E73	8_2_00C02E73
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_01363E18	9_2_01363E18
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_0136E054	9_2_0136E054
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_01366F9B	9_2_01366F9B
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_0715B7B0	9_2_0715B7B0
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07153630	9_2_07153630
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07154D02	9_2_07154D02
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_0715B7A0	9_2_0715B7A0
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_0715F210	9_2_0715F210
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07157E50	9_2_07157E50
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07157E60	9_2_07157E60
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07156EE9	9_2_07156EE9
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_0715EDD8	9_2_0715EDD8
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07157B70	9_2_07157B70
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_07157B61	9_2_07157B61
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Code function: 9_2_0715E992	9_2_0715E992

Source: x3xqeKOaAd.exe, 00000000.00000002.1225606908.000000000A0F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1223710494.0000000007590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientAny.exe" vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1219610507.0000000003C79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1219610507.0000000004490000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe, 00000000.00000000.1165583459.000000000097E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSTqfW.exe8 vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1217149474.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs x3xqeKOaAd.exe
Source: x3xqeKOaAd.exe	Binary or memory string: OriginalFilenameSTqfW.exe8 vs x3xqeKOaAd.exe

Source: x3xqeKOaAd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: x3xqeKOaAd.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xEnNgUs.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, Settings.cs	Base64 encoded string: 'Z5G8VJz025Lnhe8cfnqRzTT3nqgeq/jfeTB2RkuWik6r8MBVEdTQc4VjfbBOAoBc22xJACoBDpLuLgCEmAtZFw==', 'leNFwIzY58Qomh9ldMhoj/wkDiEjGO+G0GSKcawvKsUwMvmuWd5McEuGQw1IJS+l1nAeXNB7cg4SbLddgEFMqQ==', 'hg3xi9zmNMgEKoAeV/MxAlAZdVJNfA4nNLIGjiG0tYYa6SY2WEz9eAVA5xunyMLNURk/TrjJVnS9mtASEi8Zcg==', 'JHVJvhFY463ydsVssulBrMjE47OsHr2gXQrmyazB/OEfmMUzYArpNBVM7yMO9q2A6eYB3rK4RZx8YoF0VmFbjGDdx65ZYoeqj/5Lmt2D1JzeFDWgKgSDfYlehgiJgwQ8', 'g54zCxYIC0SolIROzEunq/z9KoGZbS16hqsYx+K2fBdu+AS2Vo+JxQBDPhP6EwMmZaDXEtmo6VXWVsx84aO6Uw=='
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, Settings.cs	Base64 encoded string: 'Z5G8VJz025Lnhe8cfnqRzTT3nqgeq/jfeTB2RkuWik6r8MBVEdTQc4VjfbBOAoBc22xJACoBDpLuLgCEmAtZFw==', 'leNFwIzY58Qomh9ldMhoj/wkDiEjGO+G0GSKcawvKsUwMvmuWd5McEuGQw1IJS+l1nAeXNB7cg4SbLddgEFMqQ==', 'hg3xi9zmNMgEKoAeV/MxAlAZdVJNfA4nNLIGjiG0tYYa6SY2WEz9eAVA5xunyMLNURk/TrjJVnS9mtASEi8Zcg==', 'JHVJvhFY463ydsVssulBrMjE47OsHr2gXQrmyazB/OEfmMUzYArpNBVM7yMO9q2A6eYB3rK4RZx8YoF0VmFbjGDdx65ZYoeqj/5Lmt2D1JzeFDWgKgSDfYlehgiJgwQ8', 'g54zCxYIC0SolIROzEunq/z9KoGZbS16hqsYx+K2fBdu+AS2Vo+JxQBDPhP6EwMmZaDXEtmo6VXWVsx84aO6Uw=='

Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, ofGqjhP6Hadggk7CX8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, ofGqjhP6Hadggk7CX8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, PjsyO1gY6UijNSNcGV.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, ofGqjhP6Hadggk7CX8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, ofGqjhP6Hadggk7CX8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, ofGqjhP6Hadggk7CX8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, ofGqjhP6Hadggk7CX8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/18@4/4

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

File created: C:\Users\user\AppData\Roaming\xEnNgUs.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Mutant created: \Sessions\1\BaseNamedObjects\dmvdDbitqnWsKczFbspq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\orsumlkwoyci

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

File created: C:\Users\user\AppData\Local\Temp\tmp571D.tmp

Jump to behavior

Source: x3xqeKOaAd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: x3xqeKOaAd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x3xqeKOaAd.exe	Virustotal: Detection: 75%
Source: x3xqeKOaAd.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

File read: C:\Users\user\Desktop\x3xqeKOaAd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\x3xqeKOaAd.exe "C:\Users\user\Desktop\x3xqeKOaAd.exe"
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xEnNgUs.exe C:\Users\user\AppData\Roaming\xEnNgUs.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: x3xqeKOaAd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: x3xqeKOaAd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: x3xqeKOaAd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: STqfW.pdb source: x3xqeKOaAd.exe, xEnNgUs.exe.0.dr
Source:	Binary string: STqfW.pdbSHA256 source: x3xqeKOaAd.exe, xEnNgUs.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, PjsyO1gY6UijNSNcGV.cs	.Net Code: jC6ImgHYB3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.x3xqeKOaAd.exe.7590000.5.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, PjsyO1gY6UijNSNcGV.cs	.Net Code: jC6ImgHYB3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, PjsyO1gY6UijNSNcGV.cs	.Net Code: jC6ImgHYB3 System.Reflection.Assembly.Load(byte[])

Source: x3xqeKOaAd.exe

Static PE information: 0x88C592A7 [Thu Sep 18 10:38:31 2042 UTC]

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_0133E963 pushfd ; retf		0_2_0133E969
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Code function: 0_2_0787872D push FFFFFF8Bh; iretd		0_2_0787872F

Source: x3xqeKOaAd.exe	Static PE information: section name: .text entropy: 7.5038384914632905
Source: xEnNgUs.exe.0.dr	Static PE information: section name: .text entropy: 7.5038384914632905

Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, EPRVimDEQOQskjX9A2A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OoQGSTmRup', 'fxhGBkv0WM', 'JpNGQjSfmQ', 'vhsGsKjBl4', 'C7qGkt3Ka3', 'H8eGYRygH4', 'z0qGF6qK9D'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, O6wFSODISfeofwCafsl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tY00eYRdx0', 'ENF0Gjyd35', 'Yrt0OeF0nZ', 'sKT00NdI34', 'gMK0Kvv7hu', 'Q8P0rBUsxK', 'LI20iTBfFv'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, F44D14LydoSgr6Ta3U.cs	High entropy of concatenated method names: 'BRjelS7Kb4', 'Um9ec0AllG', 'PbreetigTu', 'k1TeOgoN1p', 'PAdeKb4sBe', 'sK7eiDhK67', 'Dispose', 'JVEU9OvYnx', 'X3bUH8mpKs', 'nuUUwLrdAG'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, yRmjK5DDn6cjMiS5buZ.cs	High entropy of concatenated method names: 'dmNGbWouFk', 'FS5GzqoXj3', 'lPcOEBBoSX', 'HaHODC9le1', 'mtLOXlRCrC', 'sVVOpdj4uy', 'DWNOIrMYSn', 'TJdOhlB0kD', 'eB9O9YePXN', 'Q2ROH6mfbs'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, AAmSOSziMSsHK9CngX.cs	High entropy of concatenated method names: 'xYoGyL3Ijj', 'c7LGPPnGCR', 'YMBGWDlKjA', 'lulGq0PkWU', 'GtQGJvkZ1W', 'UpNGvsqU8h', 'LTPG6smN8s', 'Mu2GiQUkWh', 'vFNGMY3Ie1', 'SdhGVsBDGn'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, Q9VWCgYiW9BaDf203N.cs	High entropy of concatenated method names: 'ToString', 'aFu4SJox13', 'iIW4JeCO6w', 'Ysv43CMyZc', 'YjC4vi6yXF', 'gRb46nA3pD', 'y6Z42sCa0R', 'bG84AuUym2', 'J454u84U37', 'JM141o14YP'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, it9wtiHb2TLBXhFPsL.cs	High entropy of concatenated method names: 'Dispose', 'kSgD7r6Ta3', 'LeOXJ6pOpf', 'hH1lV6tjcX', 'qVQDbCIrDN', 'PWTDzWYlNi', 'ProcessDialogKey', 'fTkXEVyUjI', 'QHAXDcYBEr', 'PjUXX6N7r0'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, uxX9DMfFYRvr9piiVl.cs	High entropy of concatenated method names: 'YyynZyuYoo', 'dewnjD7ZwI', 'Eo4w3Cisja', 'jCWwvTNKsu', 'RLaw6gxSli', 'T8mw29nKGR', 'kytwAZ0VxP', 'DqEwuPYiUS', 'jilw1mhig7', 'IY6wTfuan3'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, TdUOGn1ZahMv3X7qj1.cs	High entropy of concatenated method names: 'HoRtMEWn14', 'bEhtVU3HSh', 'dTItmfKZlX', 'JFTtdja2Cb', 'an6tZseOdR', 'Mlwty6ZCoF', 'zbptjSs4dB', 'aAOtPUDtoK', 'DultW2YIxw', 'NNwtfUtUdy'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, tcyXT8J0nNij6gBV1b.cs	High entropy of concatenated method names: 'VYRMCZcFkK3w74iLk16', 'jUTFThc5TJiAx1uDAal', 'iMR5UOe6sd', 'p9g5epUFo4', 'RFG5GD80NB', 'jR7frDcMPaHqHEmGaA8', 'ldb3Khc0nheeXVrVHn2'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, PjsyO1gY6UijNSNcGV.cs	High entropy of concatenated method names: 'JrSphE25qm', 'URsp9Mf6T0', 'cOLpHg5UPl', 'IRBpwZKM44', 'uRupnveEAI', 'KL2p5xyV4j', 'xGwptgn8oS', 'cmHpgK87xf', 'd96poVUiVX', 'VY3pNH8TI5'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, kIFjcQAas8x1HpeMmO.cs	High entropy of concatenated method names: 'SDQt9E8WF0', 'LJWtwNB4Vv', 'nTMt53XX07', 'DAo5bBuu2Y', 'DBK5zBbyTQ', 'luTtEExEWa', 'hLktDjBnew', 'tp1tXNnUXV', 'QMEtpGUvbb', 'cWxtIAZu9e'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, mGCZ4gWBLVWt4ucrI7.cs	High entropy of concatenated method names: 'L3xwdM6jNQ', 'VyUwyr0k1a', 'pS1wP8TGiL', 'R6ywW9FfIJ', 'QBswlfjNem', 'kaEw45dLlO', 'QYpwck5fy0', 'ttmwUhm0Yl', 'xEEweP4YjC', 'IB9wGtriLN'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, ofGqjhP6Hadggk7CX8.cs	High entropy of concatenated method names: 'Q9VHs6sYB7', 'pjZHki8UlP', 'BgoHYjTmNf', 'zCGHFhFPyv', 'r7CH8rJ8U7', 'WgiHxMm8mj', 'kptHLcJpfk', 'GLtHaaTWvh', 'SD1H7IN9Uw', 'u6iHbLH7gd'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, ohpOW6qqSGaBOrL1W7.cs	High entropy of concatenated method names: 'cmt5hoIDRu', 'Hs85HtWN6n', 'Bmh5niRL8T', 'xTc5tqH3Px', 'NpX5gccJtp', 'hyTn86iooP', 'hCpnxx7SCh', 'D9onLFQY8w', 'stBnamsy35', 'OSAn7fcK0n'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, kmSaM4xnYHOJIdJV3f.cs	High entropy of concatenated method names: 'x9VcaujM1A', 'g8CcbNjTll', 'tjdUEbH7hm', 'JNJUDuVMYy', 'tIYcSOTYh1', 'MkkcBZr3cr', 'VJocQNM8g5', 'KATcs8r5kK', 'RIAckyiRIb', 'S7EcYxTXYQ'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, KCaR1vFCm0JeDSrt3h.cs	High entropy of concatenated method names: 'nqvcNKdN8A', 'ONpcR3SGmy', 'ToString', 'y3wc9GjsMZ', 'FjqcHDGBu5', 's1tcwCwxmL', 'eq5cnNTMJE', 'aTSc5B8auX', 'zJrctvYhbR', 'URqcgypXco'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, vlKlLoQNZu1BkVHFvr.cs	High entropy of concatenated method names: 'zbiCPC6DfM', 'Wu0CWlKZYG', 'pJACqA2FiJ', 'uN2CJBeB2j', 'cPbCvEak7K', 'pEeC6s4A6C', 'FDXCAOywOk', 'LncCux5H6L', 'Ou7CTbWBAw', 'lWdCSbS3Kk'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, rci4A8sLTNPuVCAyMt.cs	High entropy of concatenated method names: 'mqWlT5uaiv', 'n5SlBeZ5oC', 'ehglsKft1m', 'vyolkyaJ3s', 'd9MlJ6VcVf', 'ThBl3dQA0i', 'fq3lvd3aC5', 'GNXl6yrOtI', 'Fl9l2ULASW', 'LsJlA55wYk'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, RVyUjI7sHAcYBErQjU.cs	High entropy of concatenated method names: 'J94eqr7LKx', 'i1peJgmRis', 'gVWe3IQ8UH', 'n4pev0IxGw', 'RiIe6EiCGQ', 'ebee2d6GGL', 'tv0eAycDOX', 'vg4euEyZ1V', 'rdme1wCUlQ', 'YAUeTEyBTR'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, jTku6CIBdjTI3c1PI7.cs	High entropy of concatenated method names: 'MjCDtfGqjh', 'JHaDgdggk7', 'kBLDNVWt4u', 'qrIDR7OxX9', 'ciiDlVllhp', 'tW6D4qSGaB', 'y8RiDSkt4Aq6nEP3kE', 'RqIa8DT3W4TLVLrtEg', 'ICPDDvW2mb', 'jZLDpjDFt2'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, JN7r0DbKRXSIHB01a6.cs	High entropy of concatenated method names: 'SfgGwBMbTQ', 'NAmGnPNkey', 'gqsG5vsJb2', 'QiwGtZeEsi', 'WxRGeIwtUT', 'NZKGgIfBW9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.x3xqeKOaAd.exe.a0f0000.6.raw.unpack, dpUFP5XCivulAUrppt.cs	High entropy of concatenated method names: 'XO1mYau4g', 'Uajd8gawX', 'SGkyYHNus', 'lkmjV71OU', 'pqmW8n3gn', 'L6Vf5bJsg', 'dbO4PWCsBARdajviUe', 'UF3cH7y17MQDl1OgKj', 'NfpUhKCQo', 'EsnGEntG1'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, EPRVimDEQOQskjX9A2A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OoQGSTmRup', 'fxhGBkv0WM', 'JpNGQjSfmQ', 'vhsGsKjBl4', 'C7qGkt3Ka3', 'H8eGYRygH4', 'z0qGF6qK9D'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, O6wFSODISfeofwCafsl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tY00eYRdx0', 'ENF0Gjyd35', 'Yrt0OeF0nZ', 'sKT00NdI34', 'gMK0Kvv7hu', 'Q8P0rBUsxK', 'LI20iTBfFv'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, F44D14LydoSgr6Ta3U.cs	High entropy of concatenated method names: 'BRjelS7Kb4', 'Um9ec0AllG', 'PbreetigTu', 'k1TeOgoN1p', 'PAdeKb4sBe', 'sK7eiDhK67', 'Dispose', 'JVEU9OvYnx', 'X3bUH8mpKs', 'nuUUwLrdAG'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, yRmjK5DDn6cjMiS5buZ.cs	High entropy of concatenated method names: 'dmNGbWouFk', 'FS5GzqoXj3', 'lPcOEBBoSX', 'HaHODC9le1', 'mtLOXlRCrC', 'sVVOpdj4uy', 'DWNOIrMYSn', 'TJdOhlB0kD', 'eB9O9YePXN', 'Q2ROH6mfbs'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, AAmSOSziMSsHK9CngX.cs	High entropy of concatenated method names: 'xYoGyL3Ijj', 'c7LGPPnGCR', 'YMBGWDlKjA', 'lulGq0PkWU', 'GtQGJvkZ1W', 'UpNGvsqU8h', 'LTPG6smN8s', 'Mu2GiQUkWh', 'vFNGMY3Ie1', 'SdhGVsBDGn'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, Q9VWCgYiW9BaDf203N.cs	High entropy of concatenated method names: 'ToString', 'aFu4SJox13', 'iIW4JeCO6w', 'Ysv43CMyZc', 'YjC4vi6yXF', 'gRb46nA3pD', 'y6Z42sCa0R', 'bG84AuUym2', 'J454u84U37', 'JM141o14YP'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, it9wtiHb2TLBXhFPsL.cs	High entropy of concatenated method names: 'Dispose', 'kSgD7r6Ta3', 'LeOXJ6pOpf', 'hH1lV6tjcX', 'qVQDbCIrDN', 'PWTDzWYlNi', 'ProcessDialogKey', 'fTkXEVyUjI', 'QHAXDcYBEr', 'PjUXX6N7r0'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, uxX9DMfFYRvr9piiVl.cs	High entropy of concatenated method names: 'YyynZyuYoo', 'dewnjD7ZwI', 'Eo4w3Cisja', 'jCWwvTNKsu', 'RLaw6gxSli', 'T8mw29nKGR', 'kytwAZ0VxP', 'DqEwuPYiUS', 'jilw1mhig7', 'IY6wTfuan3'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, TdUOGn1ZahMv3X7qj1.cs	High entropy of concatenated method names: 'HoRtMEWn14', 'bEhtVU3HSh', 'dTItmfKZlX', 'JFTtdja2Cb', 'an6tZseOdR', 'Mlwty6ZCoF', 'zbptjSs4dB', 'aAOtPUDtoK', 'DultW2YIxw', 'NNwtfUtUdy'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, tcyXT8J0nNij6gBV1b.cs	High entropy of concatenated method names: 'VYRMCZcFkK3w74iLk16', 'jUTFThc5TJiAx1uDAal', 'iMR5UOe6sd', 'p9g5epUFo4', 'RFG5GD80NB', 'jR7frDcMPaHqHEmGaA8', 'ldb3Khc0nheeXVrVHn2'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, PjsyO1gY6UijNSNcGV.cs	High entropy of concatenated method names: 'JrSphE25qm', 'URsp9Mf6T0', 'cOLpHg5UPl', 'IRBpwZKM44', 'uRupnveEAI', 'KL2p5xyV4j', 'xGwptgn8oS', 'cmHpgK87xf', 'd96poVUiVX', 'VY3pNH8TI5'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, kIFjcQAas8x1HpeMmO.cs	High entropy of concatenated method names: 'SDQt9E8WF0', 'LJWtwNB4Vv', 'nTMt53XX07', 'DAo5bBuu2Y', 'DBK5zBbyTQ', 'luTtEExEWa', 'hLktDjBnew', 'tp1tXNnUXV', 'QMEtpGUvbb', 'cWxtIAZu9e'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, mGCZ4gWBLVWt4ucrI7.cs	High entropy of concatenated method names: 'L3xwdM6jNQ', 'VyUwyr0k1a', 'pS1wP8TGiL', 'R6ywW9FfIJ', 'QBswlfjNem', 'kaEw45dLlO', 'QYpwck5fy0', 'ttmwUhm0Yl', 'xEEweP4YjC', 'IB9wGtriLN'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, ofGqjhP6Hadggk7CX8.cs	High entropy of concatenated method names: 'Q9VHs6sYB7', 'pjZHki8UlP', 'BgoHYjTmNf', 'zCGHFhFPyv', 'r7CH8rJ8U7', 'WgiHxMm8mj', 'kptHLcJpfk', 'GLtHaaTWvh', 'SD1H7IN9Uw', 'u6iHbLH7gd'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, ohpOW6qqSGaBOrL1W7.cs	High entropy of concatenated method names: 'cmt5hoIDRu', 'Hs85HtWN6n', 'Bmh5niRL8T', 'xTc5tqH3Px', 'NpX5gccJtp', 'hyTn86iooP', 'hCpnxx7SCh', 'D9onLFQY8w', 'stBnamsy35', 'OSAn7fcK0n'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, kmSaM4xnYHOJIdJV3f.cs	High entropy of concatenated method names: 'x9VcaujM1A', 'g8CcbNjTll', 'tjdUEbH7hm', 'JNJUDuVMYy', 'tIYcSOTYh1', 'MkkcBZr3cr', 'VJocQNM8g5', 'KATcs8r5kK', 'RIAckyiRIb', 'S7EcYxTXYQ'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, KCaR1vFCm0JeDSrt3h.cs	High entropy of concatenated method names: 'nqvcNKdN8A', 'ONpcR3SGmy', 'ToString', 'y3wc9GjsMZ', 'FjqcHDGBu5', 's1tcwCwxmL', 'eq5cnNTMJE', 'aTSc5B8auX', 'zJrctvYhbR', 'URqcgypXco'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, vlKlLoQNZu1BkVHFvr.cs	High entropy of concatenated method names: 'zbiCPC6DfM', 'Wu0CWlKZYG', 'pJACqA2FiJ', 'uN2CJBeB2j', 'cPbCvEak7K', 'pEeC6s4A6C', 'FDXCAOywOk', 'LncCux5H6L', 'Ou7CTbWBAw', 'lWdCSbS3Kk'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, rci4A8sLTNPuVCAyMt.cs	High entropy of concatenated method names: 'mqWlT5uaiv', 'n5SlBeZ5oC', 'ehglsKft1m', 'vyolkyaJ3s', 'd9MlJ6VcVf', 'ThBl3dQA0i', 'fq3lvd3aC5', 'GNXl6yrOtI', 'Fl9l2ULASW', 'LsJlA55wYk'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, RVyUjI7sHAcYBErQjU.cs	High entropy of concatenated method names: 'J94eqr7LKx', 'i1peJgmRis', 'gVWe3IQ8UH', 'n4pev0IxGw', 'RiIe6EiCGQ', 'ebee2d6GGL', 'tv0eAycDOX', 'vg4euEyZ1V', 'rdme1wCUlQ', 'YAUeTEyBTR'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, jTku6CIBdjTI3c1PI7.cs	High entropy of concatenated method names: 'MjCDtfGqjh', 'JHaDgdggk7', 'kBLDNVWt4u', 'qrIDR7OxX9', 'ciiDlVllhp', 'tW6D4qSGaB', 'y8RiDSkt4Aq6nEP3kE', 'RqIa8DT3W4TLVLrtEg', 'ICPDDvW2mb', 'jZLDpjDFt2'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, JN7r0DbKRXSIHB01a6.cs	High entropy of concatenated method names: 'SfgGwBMbTQ', 'NAmGnPNkey', 'gqsG5vsJb2', 'QiwGtZeEsi', 'WxRGeIwtUT', 'NZKGgIfBW9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.x3xqeKOaAd.exe.4655688.4.raw.unpack, dpUFP5XCivulAUrppt.cs	High entropy of concatenated method names: 'XO1mYau4g', 'Uajd8gawX', 'SGkyYHNus', 'lkmjV71OU', 'pqmW8n3gn', 'L6Vf5bJsg', 'dbO4PWCsBARdajviUe', 'UF3cH7y17MQDl1OgKj', 'NfpUhKCQo', 'EsnGEntG1'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, EPRVimDEQOQskjX9A2A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OoQGSTmRup', 'fxhGBkv0WM', 'JpNGQjSfmQ', 'vhsGsKjBl4', 'C7qGkt3Ka3', 'H8eGYRygH4', 'z0qGF6qK9D'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, O6wFSODISfeofwCafsl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tY00eYRdx0', 'ENF0Gjyd35', 'Yrt0OeF0nZ', 'sKT00NdI34', 'gMK0Kvv7hu', 'Q8P0rBUsxK', 'LI20iTBfFv'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, F44D14LydoSgr6Ta3U.cs	High entropy of concatenated method names: 'BRjelS7Kb4', 'Um9ec0AllG', 'PbreetigTu', 'k1TeOgoN1p', 'PAdeKb4sBe', 'sK7eiDhK67', 'Dispose', 'JVEU9OvYnx', 'X3bUH8mpKs', 'nuUUwLrdAG'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, yRmjK5DDn6cjMiS5buZ.cs	High entropy of concatenated method names: 'dmNGbWouFk', 'FS5GzqoXj3', 'lPcOEBBoSX', 'HaHODC9le1', 'mtLOXlRCrC', 'sVVOpdj4uy', 'DWNOIrMYSn', 'TJdOhlB0kD', 'eB9O9YePXN', 'Q2ROH6mfbs'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, AAmSOSziMSsHK9CngX.cs	High entropy of concatenated method names: 'xYoGyL3Ijj', 'c7LGPPnGCR', 'YMBGWDlKjA', 'lulGq0PkWU', 'GtQGJvkZ1W', 'UpNGvsqU8h', 'LTPG6smN8s', 'Mu2GiQUkWh', 'vFNGMY3Ie1', 'SdhGVsBDGn'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, Q9VWCgYiW9BaDf203N.cs	High entropy of concatenated method names: 'ToString', 'aFu4SJox13', 'iIW4JeCO6w', 'Ysv43CMyZc', 'YjC4vi6yXF', 'gRb46nA3pD', 'y6Z42sCa0R', 'bG84AuUym2', 'J454u84U37', 'JM141o14YP'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, it9wtiHb2TLBXhFPsL.cs	High entropy of concatenated method names: 'Dispose', 'kSgD7r6Ta3', 'LeOXJ6pOpf', 'hH1lV6tjcX', 'qVQDbCIrDN', 'PWTDzWYlNi', 'ProcessDialogKey', 'fTkXEVyUjI', 'QHAXDcYBEr', 'PjUXX6N7r0'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, uxX9DMfFYRvr9piiVl.cs	High entropy of concatenated method names: 'YyynZyuYoo', 'dewnjD7ZwI', 'Eo4w3Cisja', 'jCWwvTNKsu', 'RLaw6gxSli', 'T8mw29nKGR', 'kytwAZ0VxP', 'DqEwuPYiUS', 'jilw1mhig7', 'IY6wTfuan3'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, TdUOGn1ZahMv3X7qj1.cs	High entropy of concatenated method names: 'HoRtMEWn14', 'bEhtVU3HSh', 'dTItmfKZlX', 'JFTtdja2Cb', 'an6tZseOdR', 'Mlwty6ZCoF', 'zbptjSs4dB', 'aAOtPUDtoK', 'DultW2YIxw', 'NNwtfUtUdy'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, tcyXT8J0nNij6gBV1b.cs	High entropy of concatenated method names: 'VYRMCZcFkK3w74iLk16', 'jUTFThc5TJiAx1uDAal', 'iMR5UOe6sd', 'p9g5epUFo4', 'RFG5GD80NB', 'jR7frDcMPaHqHEmGaA8', 'ldb3Khc0nheeXVrVHn2'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, PjsyO1gY6UijNSNcGV.cs	High entropy of concatenated method names: 'JrSphE25qm', 'URsp9Mf6T0', 'cOLpHg5UPl', 'IRBpwZKM44', 'uRupnveEAI', 'KL2p5xyV4j', 'xGwptgn8oS', 'cmHpgK87xf', 'd96poVUiVX', 'VY3pNH8TI5'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, kIFjcQAas8x1HpeMmO.cs	High entropy of concatenated method names: 'SDQt9E8WF0', 'LJWtwNB4Vv', 'nTMt53XX07', 'DAo5bBuu2Y', 'DBK5zBbyTQ', 'luTtEExEWa', 'hLktDjBnew', 'tp1tXNnUXV', 'QMEtpGUvbb', 'cWxtIAZu9e'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, mGCZ4gWBLVWt4ucrI7.cs	High entropy of concatenated method names: 'L3xwdM6jNQ', 'VyUwyr0k1a', 'pS1wP8TGiL', 'R6ywW9FfIJ', 'QBswlfjNem', 'kaEw45dLlO', 'QYpwck5fy0', 'ttmwUhm0Yl', 'xEEweP4YjC', 'IB9wGtriLN'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, ofGqjhP6Hadggk7CX8.cs	High entropy of concatenated method names: 'Q9VHs6sYB7', 'pjZHki8UlP', 'BgoHYjTmNf', 'zCGHFhFPyv', 'r7CH8rJ8U7', 'WgiHxMm8mj', 'kptHLcJpfk', 'GLtHaaTWvh', 'SD1H7IN9Uw', 'u6iHbLH7gd'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, ohpOW6qqSGaBOrL1W7.cs	High entropy of concatenated method names: 'cmt5hoIDRu', 'Hs85HtWN6n', 'Bmh5niRL8T', 'xTc5tqH3Px', 'NpX5gccJtp', 'hyTn86iooP', 'hCpnxx7SCh', 'D9onLFQY8w', 'stBnamsy35', 'OSAn7fcK0n'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, kmSaM4xnYHOJIdJV3f.cs	High entropy of concatenated method names: 'x9VcaujM1A', 'g8CcbNjTll', 'tjdUEbH7hm', 'JNJUDuVMYy', 'tIYcSOTYh1', 'MkkcBZr3cr', 'VJocQNM8g5', 'KATcs8r5kK', 'RIAckyiRIb', 'S7EcYxTXYQ'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, KCaR1vFCm0JeDSrt3h.cs	High entropy of concatenated method names: 'nqvcNKdN8A', 'ONpcR3SGmy', 'ToString', 'y3wc9GjsMZ', 'FjqcHDGBu5', 's1tcwCwxmL', 'eq5cnNTMJE', 'aTSc5B8auX', 'zJrctvYhbR', 'URqcgypXco'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, vlKlLoQNZu1BkVHFvr.cs	High entropy of concatenated method names: 'zbiCPC6DfM', 'Wu0CWlKZYG', 'pJACqA2FiJ', 'uN2CJBeB2j', 'cPbCvEak7K', 'pEeC6s4A6C', 'FDXCAOywOk', 'LncCux5H6L', 'Ou7CTbWBAw', 'lWdCSbS3Kk'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, rci4A8sLTNPuVCAyMt.cs	High entropy of concatenated method names: 'mqWlT5uaiv', 'n5SlBeZ5oC', 'ehglsKft1m', 'vyolkyaJ3s', 'd9MlJ6VcVf', 'ThBl3dQA0i', 'fq3lvd3aC5', 'GNXl6yrOtI', 'Fl9l2ULASW', 'LsJlA55wYk'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, RVyUjI7sHAcYBErQjU.cs	High entropy of concatenated method names: 'J94eqr7LKx', 'i1peJgmRis', 'gVWe3IQ8UH', 'n4pev0IxGw', 'RiIe6EiCGQ', 'ebee2d6GGL', 'tv0eAycDOX', 'vg4euEyZ1V', 'rdme1wCUlQ', 'YAUeTEyBTR'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, jTku6CIBdjTI3c1PI7.cs	High entropy of concatenated method names: 'MjCDtfGqjh', 'JHaDgdggk7', 'kBLDNVWt4u', 'qrIDR7OxX9', 'ciiDlVllhp', 'tW6D4qSGaB', 'y8RiDSkt4Aq6nEP3kE', 'RqIa8DT3W4TLVLrtEg', 'ICPDDvW2mb', 'jZLDpjDFt2'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, JN7r0DbKRXSIHB01a6.cs	High entropy of concatenated method names: 'SfgGwBMbTQ', 'NAmGnPNkey', 'gqsG5vsJb2', 'QiwGtZeEsi', 'WxRGeIwtUT', 'NZKGgIfBW9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.x3xqeKOaAd.exe.46c1ea8.3.raw.unpack, dpUFP5XCivulAUrppt.cs	High entropy of concatenated method names: 'XO1mYau4g', 'Uajd8gawX', 'SGkyYHNus', 'lkmjV71OU', 'pqmW8n3gn', 'L6Vf5bJsg', 'dbO4PWCsBARdajviUe', 'UF3cH7y17MQDl1OgKj', 'NfpUhKCQo', 'EsnGEntG1'

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

File created: C:\Users\user\AppData\Roaming\xEnNgUs.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x3xqeKOaAd.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xEnNgUs.exe PID: 7896, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7304, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: x3xqeKOaAd.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xEnNgUs.exe PID: 7896, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x3xqeKOaAd.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xEnNgUs.exe PID: 7896, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7304, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: x3xqeKOaAd.exe, 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, xEnNgUs.exe, 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 7990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 8990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 8B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: 9B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: A160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: B160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory allocated: C160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 4E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 7550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 8550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 86E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 96E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: 9BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Memory allocated: ABC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 18C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 31F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 51F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598396	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594979	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8311	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7930	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1894	Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe TID: 7556	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe TID: 7572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep count: 7930 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7892	Thread sleep count: 1894 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598396s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -595091s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594979s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7796	Thread sleep time: -593813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe TID: 7900	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8040	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7348	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598396	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594979	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 0000000A.00000002.2860935749.000001310CC59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2860393160.000001310762B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000008.00000002.3634522059.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe"
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 66B008	Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xEnNgUs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp571D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEnNgUs" /XML "C:\Users\user\AppData\Local\Temp\tmp66BD.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Users\user\Desktop\x3xqeKOaAd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x3xqeKOaAd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Queries volume information: C:\Users\user\AppData\Roaming\xEnNgUs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xEnNgUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\x3xqeKOaAd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f46550.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.xEnNgUs.exe.2f33c6c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2e9dd5c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x3xqeKOaAd.exe.2eb0640.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x3xqeKOaAd.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xEnNgUs.exe PID: 7896, type: MEMORYSTR

Yara detected VenomRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7304, type: MEMORYSTR

Source: x3xqeKOaAd.exe, 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, xEnNgUs.exe, 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, xEnNgUs.exe, 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: x3xqeKOaAd.exe, 00000000.00000002.1218226132.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, xEnNgUs.exe, 00000009.00000002.1260216966.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1260170152.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Scheduled Task/Job	3 Scheduled Task/Job	311 Process Injection	11 Masquerading	1 Input Capture	221 Security Software Discovery	Remote Services	1 Input Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	3 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	221 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x3xqeKOaAd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
x3xqeKOaAd.exe