Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x20U0QJMVC.exe

Overview

General Information

Sample name:x20U0QJMVC.exe
renamed because original name is a hash value
Original sample name:21b3ce427475b47076786585d7041284d6904b77cc3fe4ed9bb0c58f2b98f326.exe
Analysis ID:1634546
MD5:37ef4f24015c203f1f703e634ab7abe3
SHA1:bf007a685cdc77adcec7e214659934b8b7264f25
SHA256:21b3ce427475b47076786585d7041284d6904b77cc3fe4ed9bb0c58f2b98f326
Tags:AsyncRATexeuser-adrian__luca
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • x20U0QJMVC.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\x20U0QJMVC.exe" MD5: 37EF4F24015C203F1F703E634AB7ABE3)
    • x20U0QJMVC.exe (PID: 1332 cmdline: "C:\Users\user\Desktop\x20U0QJMVC.exe" MD5: 37EF4F24015C203F1F703E634AB7ABE3)
      • WerFault.exe (PID: 7700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1984 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["doe.ydns.eu", "wqo9.firewall-gateway.de"], "Port": 5901, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x1264a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x22b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x335e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x126e7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x22bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x3367f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x127fc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x22ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x33794:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x11fcc:$cnc4: POST / HTTP/1.1
    • 0x224b8:$cnc4: POST / HTTP/1.1
    • 0x32f64:$cnc4: POST / HTTP/1.1
    00000004.00000002.2257147741.00000000033C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      Process Memory Space: x20U0QJMVC.exe PID: 6388JoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: x20U0QJMVC.exe PID: 6388JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 1 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.x20U0QJMVC.exe.2beee68.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.x20U0QJMVC.exe.2beee68.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x9b46:$str01: $VB$Local_Port
            • 0x9b8f:$str02: $VB$Local_Host
            • 0x84e6:$str03: get_Jpeg
            • 0x8947:$str04: get_ServicePack
            • 0xad09:$str05: Select * from AntivirusProduct
            • 0xbc50:$str06: PCRestart
            • 0xbc64:$str07: shutdown.exe /f /r /t 0
            • 0xbd16:$str08: StopReport
            • 0xbcec:$str09: StopDDos
            • 0xbde2:$str10: sendPlugin
            • 0xbe62:$str11: OfflineKeylogger Not Enabled
            • 0xbfba:$str12: -ExecutionPolicy Bypass -File "
            • 0xc449:$str13: Content-length: 5235
            0.2.x20U0QJMVC.exe.2beee68.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xc9e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xca7f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xcb94:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xc364:$cnc4: POST / HTTP/1.1
            0.2.x20U0QJMVC.exe.2bff354.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.x20U0QJMVC.exe.2bff354.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
              • 0x9b46:$str01: $VB$Local_Port
              • 0x9b8f:$str02: $VB$Local_Host
              • 0x84e6:$str03: get_Jpeg
              • 0x8947:$str04: get_ServicePack
              • 0xad09:$str05: Select * from AntivirusProduct
              • 0xbc50:$str06: PCRestart
              • 0xbc64:$str07: shutdown.exe /f /r /t 0
              • 0xbd16:$str08: StopReport
              • 0xbcec:$str09: StopDDos
              • 0xbde2:$str10: sendPlugin
              • 0xbe62:$str11: OfflineKeylogger Not Enabled
              • 0xbfba:$str12: -ExecutionPolicy Bypass -File "
              • 0xc449:$str13: Content-length: 5235
              Click to see the 7 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\x20U0QJMVC.exe, ProcessId: 1332, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftEdge.lnk

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T01:18:06.095172+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:18.248409+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:20.516809+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:34.971591+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:42.532648+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:48.253219+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:56.954059+010028528701Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T01:18:20.518830+010028529231Malware Command and Control Activity Detected192.168.2.104969294.156.227.1935901TCP
              2025-03-11T01:18:34.979031+010028529231Malware Command and Control Activity Detected192.168.2.104969294.156.227.1935901TCP
              2025-03-11T01:18:42.550274+010028529231Malware Command and Control Activity Detected192.168.2.104969294.156.227.1935901TCP
              2025-03-11T01:18:56.960576+010028529231Malware Command and Control Activity Detected192.168.2.104969294.156.227.1935901TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T01:18:18.248409+010028528741Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              2025-03-11T01:18:48.253219+010028528741Malware Command and Control Activity Detected94.156.227.1935901192.168.2.1049692TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-11T01:17:38.518469+010028559241Malware Command and Control Activity Detected192.168.2.1049684104.245.240.1585901TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: wqo9.firewall-gateway.deAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["doe.ydns.eu", "wqo9.firewall-gateway.de"], "Port": 5901, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\MicroSoftEdge.exeReversingLabs: Detection: 75%
              Multi AV Scanner detection for submitted file
              Source: x20U0QJMVC.exeReversingLabs: Detection: 75%
              Source: x20U0QJMVC.exeVirustotal: Detection: 70%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: doe.ydns.eu,wqo9.firewall-gateway.de
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: 5901
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: BIG DICK
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString decryptor: MicroSoftEdge.exe
              Source: x20U0QJMVC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: x20U0QJMVC.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbCu> source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\ocql.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Windows.Forms.pdbH source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.pdb8S source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: ocql.pdbSHA256 source: x20U0QJMVC.exe, MicroSoftEdge.exe.4.dr
              Source: Binary string: System.Xml.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: o.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Users\user\Desktop\ocql.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4302.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Core.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: %%.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: C:\Windows\ocql.pdbpdbcql.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb%?} source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp, x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, WER4302.tmp.dmp.16.dr
              Source: Binary string: ocql.pdb source: x20U0QJMVC.exe, MicroSoftEdge.exe.4.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Management.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Drawing.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: mscorlib.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Xml.pdbR source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Core.pdb< source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Management.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Desktop\x20U0QJMVC.PDB\* source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4 source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4302.tmp.dmp.16.dr
              Source: Binary string: o0C:\Windows\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\ocql.pdb8 source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49684 -> 104.245.240.158:5901
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 94.156.227.193:5901 -> 192.168.2.10:49692
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 94.156.227.193:5901 -> 192.168.2.10:49692
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.10:49692 -> 94.156.227.193:5901
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: doe.ydns.eu
              Source: Malware configuration extractorURLs: wqo9.firewall-gateway.de
              Source: global trafficTCP traffic: 192.168.2.10:49684 -> 104.245.240.158:5901
              Source: global trafficTCP traffic: 192.168.2.10:49692 -> 94.156.227.193:5901
              Source: Joe Sandbox ViewASN Name: NETIXBG NETIXBG
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: wqo9.firewall-gateway.de
              Source: global trafficDNS traffic detected: DNS query: doe.ydns.eu
              Source: x20U0QJMVC.exe, 00000004.00000002.2257147741.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Amcache.hve.16.drString found in binary or memory: http://upx.sf.net

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_0116E0DC0_2_0116E0DC
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_05D001300_2_05D00130
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_05D001200_2_05D00120
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062E4E600_2_062E4E60
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062ED3670_2_062ED367
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062ED3780_2_062ED378
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062E4EF00_2_062E4EF0
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062EEC900_2_062EEC90
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_068007180_2_06800718
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_06809FA40_2_06809FA4
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_0680B7500_2_0680B750
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_068000400_2_06800040
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080E19500_2_080E1950
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080E98480_2_080E9848
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080EA8770_2_080EA877
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080EAAE80_2_080EAAE8
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080E8FD80_2_080E8FD8
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080EB3C00_2_080EB3C0
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080E93FF0_2_080E93FF
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_080E94100_2_080E9410
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_017010304_2_01701030
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_0170C2684_2_0170C268
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_0170E2D84_2_0170E2D8
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_017042C04_2_017042C0
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_0170599D4_2_0170599D
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_0170CB384_2_0170CB38
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_01703CC94_2_01703CC9
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_017016184_2_01701618
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_0170BF204_2_0170BF20
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_06FC07F84_2_06FC07F8
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_06FC15394_2_06FC1539
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_06FC4B804_2_06FC4B80
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1984
              Source: x20U0QJMVC.exe, 00000000.00000002.1125592481.0000000006850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000002.1125922503.00000000080F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000002.1113287251.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000002.1116436413.0000000003C07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000002.1116436413.0000000003C84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBIG DICK.exe4 vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002C23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000000.00000000.1043692770.0000000000762000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameocql.exe0 vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exe, 00000004.00000002.2255554501.0000000000411000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBIG DICK.exe4 vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exeBinary or memory string: OriginalFilenameocql.exe0 vs x20U0QJMVC.exe
              Source: x20U0QJMVC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: x20U0QJMVC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, NeCZsTzgasnge0k42cPEMSZusZaPx4cBEG0X.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, NeCZsTzgasnge0k42cPEMSZusZaPx4cBEG0X.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.csBase64 encoded string: 'p7vQF4Y3oXGeGnLfyM/zbtjdCN4wbvZDAk9B8vsmzElOJvUqS5+pLx5WgdQ9Av05'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, yJQsp57VacemruUNHTKnWeNHS9r7JnQJVZBspLPTajE1MNp9Vwu0lFGQqzGYKgEJo00szn2Ae7.csBase64 encoded string: 'j17NsVuwrrlguxhZtGhx3ueYcqJ1niVlQ9pgTpuFIyd898BSixePeaIkQJnjt7eWOJAP'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.csBase64 encoded string: 'p7vQF4Y3oXGeGnLfyM/zbtjdCN4wbvZDAk9B8vsmzElOJvUqS5+pLx5WgdQ9Av05'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, yJQsp57VacemruUNHTKnWeNHS9r7JnQJVZBspLPTajE1MNp9Vwu0lFGQqzGYKgEJo00szn2Ae7.csBase64 encoded string: 'j17NsVuwrrlguxhZtGhx3ueYcqJ1niVlQ9pgTpuFIyd898BSixePeaIkQJnjt7eWOJAP'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, BtlvSYNIayAioD58Ox.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, BtlvSYNIayAioD58Ox.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, BtlvSYNIayAioD58Ox.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, BtlvSYNIayAioD58Ox.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, BtlvSYNIayAioD58Ox.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, BtlvSYNIayAioD58Ox.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, 6r9Ik17VUBaMPNyzNu5DAjoXerSGLmr1Rc9pFRvg400BxgcUhmwPpJt5oidp4HstItIl2SgnO69DNRDmzdzilI4hvE26f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, 6r9Ik17VUBaMPNyzNu5DAjoXerSGLmr1Rc9pFRvg400BxgcUhmwPpJt5oidp4HstItIl2SgnO69DNRDmzdzilI4hvE26f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, Oiav3h8KdpZx6KWNv4.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, 6r9Ik17VUBaMPNyzNu5DAjoXerSGLmr1Rc9pFRvg400BxgcUhmwPpJt5oidp4HstItIl2SgnO69DNRDmzdzilI4hvE26f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, 6r9Ik17VUBaMPNyzNu5DAjoXerSGLmr1Rc9pFRvg400BxgcUhmwPpJt5oidp4HstItIl2SgnO69DNRDmzdzilI4hvE26f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@4/9@2/2
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x20U0QJMVC.exe.logJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMutant created: NULL
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMutant created: \Sessions\1\BaseNamedObjects\MwFBVxtXhTxmaX69
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1332
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0083bd8f-1173-47ab-ae3e-cc9a25184b7eJump to behavior
              Source: x20U0QJMVC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: x20U0QJMVC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: x20U0QJMVC.exeReversingLabs: Detection: 75%
              Source: x20U0QJMVC.exeVirustotal: Detection: 70%
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile read: C:\Users\user\Desktop\x20U0QJMVC.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\x20U0QJMVC.exe "C:\Users\user\Desktop\x20U0QJMVC.exe"
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess created: C:\Users\user\Desktop\x20U0QJMVC.exe "C:\Users\user\Desktop\x20U0QJMVC.exe"
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1984
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess created: C:\Users\user\Desktop\x20U0QJMVC.exe "C:\Users\user\Desktop\x20U0QJMVC.exe"Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: netfxperf.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: pdh.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: esentprf.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: perfts.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: utildll.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: tdh.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: msdtcuiu.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: atl.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: msdtcprx.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: mtxclu.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: clusapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: resutils.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: clusapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: resutils.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: msdtcprx.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: resutils.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: msscntrs.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: perfdisk.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wmiclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: perfnet.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: browcli.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: perfos.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: perfproc.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: sysmain.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: rasctrs.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: tapiperf.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: tapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: perfctrs.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: usbperf.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: tquery.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: x20U0QJMVC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: x20U0QJMVC.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: x20U0QJMVC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbCu> source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\ocql.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Windows.Forms.pdbH source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.pdb8S source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Configuration.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: ocql.pdbSHA256 source: x20U0QJMVC.exe, MicroSoftEdge.exe.4.dr
              Source: Binary string: System.Xml.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: o.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Users\user\Desktop\ocql.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4302.tmp.dmp.16.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Core.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: %%.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: C:\Windows\ocql.pdbpdbcql.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb%?} source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp, x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, WER4302.tmp.dmp.16.dr
              Source: Binary string: ocql.pdb source: x20U0QJMVC.exe, MicroSoftEdge.exe.4.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Management.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Drawing.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: mscorlib.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Xml.pdbR source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Core.pdb< source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Management.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2255992444.0000000001456000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Desktop\x20U0QJMVC.PDB\* source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4 source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4302.tmp.dmp.16.dr
              Source: Binary string: o0C:\Windows\mscorlib.pdb source: x20U0QJMVC.exe, 00000004.00000002.2260267688.000000000607A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdb source: WER4302.tmp.dmp.16.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER4302.tmp.dmp.16.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\ocql.pdb8 source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.q7dVGl9jBkKSylRgI3Zo3IjkXVtKfeMWCwTC9umzHZC3SeWyodDGhs8dqX,XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY._1qVw19Tqu8UMSjEW8OFXBLLgBZS88qmRXPNVoduRixKRLiWx6zLfQRjWrxQKPqB87MscGPMea29Bq9gqqkMGVLHpdB,XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.WjNl2rwB07L2Oz7Hpsk6c8Kp9Cq8lIhtq7N14azrYvKgsFQ2tn5F6Dd3CHTSNa5CfgfP4jMwwfJnnd5vz4qZFc5Yie,XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.lximT6668TGMob3geKtaw1ReIEAIZYoerNlOWDqyPlajU82tWnoQTYuQdMJQDPOVuyYTi8yxXyoU1LCTCbWaaJPrm4,xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg._7HT9JDKEnNv2fFDfOTtM8RlmHoRQMnGlT9K3()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_8qGewZd6oj1Axppv0FTmii0lxThcC0xk9EWT[2],xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.bvmeN7dO2WsRCe7M0NNIaDFa4lnQeOKPC4gJBV5GiRshBNJGK1B1i0YKwfhfR47ECGms(Convert.FromBase64String(_8qGewZd6oj1Axppv0FTmii0lxThcC0xk9EWT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.q7dVGl9jBkKSylRgI3Zo3IjkXVtKfeMWCwTC9umzHZC3SeWyodDGhs8dqX,XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY._1qVw19Tqu8UMSjEW8OFXBLLgBZS88qmRXPNVoduRixKRLiWx6zLfQRjWrxQKPqB87MscGPMea29Bq9gqqkMGVLHpdB,XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.WjNl2rwB07L2Oz7Hpsk6c8Kp9Cq8lIhtq7N14azrYvKgsFQ2tn5F6Dd3CHTSNa5CfgfP4jMwwfJnnd5vz4qZFc5Yie,XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.lximT6668TGMob3geKtaw1ReIEAIZYoerNlOWDqyPlajU82tWnoQTYuQdMJQDPOVuyYTi8yxXyoU1LCTCbWaaJPrm4,xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg._7HT9JDKEnNv2fFDfOTtM8RlmHoRQMnGlT9K3()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_8qGewZd6oj1Axppv0FTmii0lxThcC0xk9EWT[2],xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.bvmeN7dO2WsRCe7M0NNIaDFa4lnQeOKPC4gJBV5GiRshBNJGK1B1i0YKwfhfR47ECGms(Convert.FromBase64String(_8qGewZd6oj1Axppv0FTmii0lxThcC0xk9EWT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: meZmIuGnVo3moQhwWhq7uX5GrgMePPtbMQ2V System.AppDomain.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: SmGFKpPI7MkxmERss6LKfvzhov5bEcEGhmd8 System.AppDomain.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: SmGFKpPI7MkxmERss6LKfvzhov5bEcEGhmd8
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, Oiav3h8KdpZx6KWNv4.cs.Net Code: XswVQwoald System.Reflection.Assembly.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.6850000.6.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.2d4aac0.2.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.3c64dd8.3.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, Oiav3h8KdpZx6KWNv4.cs.Net Code: XswVQwoald System.Reflection.Assembly.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: meZmIuGnVo3moQhwWhq7uX5GrgMePPtbMQ2V System.AppDomain.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: SmGFKpPI7MkxmERss6LKfvzhov5bEcEGhmd8 System.AppDomain.Load(byte[])
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.cs.Net Code: SmGFKpPI7MkxmERss6LKfvzhov5bEcEGhmd8
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, Oiav3h8KdpZx6KWNv4.cs.Net Code: XswVQwoald System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062EE4B8 push eax; mov dword ptr [esp], edx0_2_062EE4C9
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_062EC258 push eax; mov dword ptr [esp], edx0_2_062EE4C9
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_0680A658 pushad ; retf 050Ch0_2_0680A665
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 0_2_06805D20 push es; iretd 0_2_06805D2C
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeCode function: 4_2_06FC02D0 push FFFFFF8Bh; iretd 4_2_06FC0271
              Source: x20U0QJMVC.exeStatic PE information: section name: .text entropy: 7.577913740302318
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.csHigh entropy of concatenated method names: 'jBXqu1bnIartDeN8cjnqhNQ3mT235UGHXTeWCNgLQHb4RvFOydMJ3', '_736knBzUbXb6c5I9IA4gvPQM2xh4L42KGddZE9F97Ob21iCd4Rao7', 'ASvsQG0QYZ3Sest5kDi5Mk8qUXa3fLd9PdFc1oBJ5EEp1tRKIWfNu', '_6KIWbfnSEAT0wmPLCZ3zVXZ6aH7o7uYybmpXkX9ox7qenp3ft6HVH'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, Q23KkkGXkXR0gOAHoqr4zEz26VdgzkDwel7ccUpGGxlGOyVzRMFvL7ftoX7PHCzaaFWB.csHigh entropy of concatenated method names: 'CIalY5BtsFG4fCcUqHCzpPkTxmTKHll12u6h8ipvByk4x7anxhYboQnj3Ngdcwo8ZEKg', '_4m7QTxXVyHyuY4BF1mcSK5CWldeJdfqTqE5kvq6oQsjfrXkTLCRTdOVPovzXEBhIa8Ft', 'QKTRCBomeg33HYcRSI2tXXJs2Nd3v8Pp0tI6Nxztvs0MtMEJFokQJJ08070u9u4yCnhH', 'au1anuOkO1zUW', 'zkf6Y6u64QokP', '_4l7RX4jvZ08A4', 'mdvCG7viunOPO', 'vebrVVRkfYmai', 'BkIWdZeR3qKqX', 'UfGLJzRY3oZAb'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, ipNhDKQpkkGPikicR0nLfuD5KJ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'i2QaluyeFpF92OZDh7jJuMa3Y1d5E2leWZfPvAddhd5ppIv1vQgZh', 'NQKR743A8prX8KYRjWd84VYLNVRA0LFfX9pOdQCgcw8otVZ9SLdC7', 'O1UysStdA7qI3ToR9y9wkYu1hRt2HeTM0bn9Yhrs1tkFawb6QImMH', 'JHh9soP3kVtlg2mfylfR4XmEvX7DGHamkKV5UEvmLK10JPHMi9hwC'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, GRgiGy85IIPC62gdHoTIDRM5cUpK5rQ5U64x.csHigh entropy of concatenated method names: 'a4tOdDF0TBci1a4SesUFX8qHJwiXVMY6AugA', '_8nrgUWL52Vo8Szg5sFINgmD1LHQ1', 'ek9rxI0fpbau1HFsKZwbbJb99AsM', 'RQAwaEQA0mkPMudont1ztEgx438D', 'jLwC9Y5VCFp8j4rKZrbw8wIp9KPQ'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.csHigh entropy of concatenated method names: 'jewEfN36otRDHo7f2WITO5jeikj6bmUkZsQd', 'meZmIuGnVo3moQhwWhq7uX5GrgMePPtbMQ2V', 'ndm3z3ysoYkGtmJrFZzjogfeZD0TyH807Rmq', 's9zDnr9lAaARaJXX0gn5Gm7ObxZNz0sUcAn9', 'oMrWAOPuhb0aAfb1DDNVe4rQZOYXs6rcj5q5', '_95TpxYyv57YcQ5NroJtcx2o8dv3RhazApMoq', 'Ofpm3fG3llvzUfdBh7RS6yrrB04UvTMKApG8', 'dpK1jZ6OiUokKG46C9GXB1u45Y17AWGoYt7O', 'qnLD6T9TsV3Dn8t1ErBHagzLn9Hw9lS2D2OC', 'auJXP6KzSVyKj9pxRvJ5uu3RBKj1rosXC3sC'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, 6r9Ik17VUBaMPNyzNu5DAjoXerSGLmr1Rc9pFRvg400BxgcUhmwPpJt5oidp4HstItIl2SgnO69DNRDmzdzilI4hvE26f.csHigh entropy of concatenated method names: 'fkaHKKS3cGWVIgKiKaJIRmBh4yMZNtI83KaTb9DFDxC2g9t8J9i0AM5BdlKudx8IPnUraY6AcyM6o5D3Q3rQSIatWOog2', 'fBvBDdkqVksKA1diLE2B8wcKyaipQ56ZckjH4Wti8zwp6dRqMwvDREBkoyU6gajbiZifABxTmN27pWInK9a2d951rHUeg', 'k9Tcnlc04e8DaG0WykI1sqpThqRaIROnwbGlWNjRNzwJzcjt3It9kZnfQg2rjxvnkQMtYLYxqV1S9OBd4DsQCRtW2gSQl', 'a2G19Rxd2rxdoRxt7fKc23NtMM2y5hb5xEHnggmQhmV7qxHMNBgcpCoNbJ5l3qV2S3uFtSOR8Pnw0QhvEHVIJpfQd6Y5r', 'e9G3c9m46qt3ayutVb7cyYiWsmZCxelaFvuZOs3ec5qj2tcQiQjkBmRfdNhTP5sCH8MeXljJF3o70pYIYxLJ6Lh7UtUc4', 'r9YfZOdTJDZ0wXIetv2Ok5QzbNUwVh0OdGwzkFGC3hPAN6bC5pL9aQMhukeZIFWDKKHjQI0SbzZ7sLTaRj2vckLNvZxeE', 'zjSTvXmGwEhxeihjopHUWIaQJqFGuDKgf4rZixfonRT8ECwHPgBy1WGErOBc32n36S1iIMtXOxmMvpiTdJZGTErDW7Ue6', '_5aGL0l4icUhAQVnyfPf9JFtDxMWfINtdXe97ahHhngLEhReSw6HpGjajqCBMmwwiIdo0K3PY2mSnsGyUk3ZIGJMu12NoQ', 'a3dIRUVCZcfLM6RsAVUk74XEMbDsWS31OokpCgod69oEvioXH8Xjng6OZouiXKCvhAiCCoH4Iaf8G7zLZjZVlYOddGQu4', 'LkKIbbXzKSX7wvGooTZPvIMzvHkAZewnzaPp2CbjwPAkF3AId7cskvLeUWa2wEoAVpNGdvIRURVXwoCvmFsoV4igoqIcI'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.csHigh entropy of concatenated method names: 'RftdwedHVVBEA6O3eDuTUtLvsj84CJU4Hnwn', '_9lB20hgsJtbwu4Dq6gfyrpyNTT3oHMT5YsFT', 'Fr3maN5Pew72qVpt69VA8bAbUdneLWwZ3s23', 'iNp4YKccAoZdtWht2Logla1m79TBpZJ8jIVm', 'FtnGUJWIG8Lgbw7tmrwxzhTwcggfnuFSecaL', 'NR0M7TGSomw4ggB3rJfgKvixPsmVIRpCCaGi', '_2zOi9Wvq6pxH9OveLmgnp9t7AqaMOYTetDD2', 'PWldhZtrjP8L2IUTy523wmUTIsKfzX05bAev', '_1elyC22RFjbsHPIybaMqeY8wON52VSY54zhD', 'tPISYQEavjAfiVtU5J6qyG4SUAPVoBQtc7rt'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, Mkq6JOPXfJ0mPyDgrpXHkCxWagnsXa3XvNLkFgE7lQHhwSJRhL4OmhgCFdjTrHr1LatbYg4gFjwpjhfrAssiF71ojwAwS.csHigh entropy of concatenated method names: 'Fr1rTvYGfcgCpjhDjlIm8UdHs9HdigPeim0zxXp16bZBkJH3fidbl65WLcX3bOwpkCGXxSSfDgLwA640FX0I4HwPPr8mU', 'xAnxr55OcU6gIrvkV1BRjiAUVNlCMijiyKTA8FWo6snd2TDQZaUaL3XF0pnpHGsJBbD5nYcIZFAj2CMxH0ebczMd8WMVv', 'Q4Rk72nNblu08dsgjUDoxTSvfbeqxH9fvvea55bxSbWMx4iD1JJKbTztC2498KUZWyhb3TTcW49isuDbNitg5wOP0PHAA', 'UTxsjjAVvoCe1OKlJVdChYR70Tk5gsWFhctYQAj0eiD00XYyVER0O', 'TwnCxIKVvKFrmpXOrS7bXGejnEO2p8sJFUVZpfT6VjA0M79T05qYx', 'jBAmb9tKgeT4orBIx1dplIwdAtPWsLFpOGk8k2YXUbwKHpufmaFVdGPhidje09Z071QriLJ9MxStkK4hFjRCa', 'fqQpyJb7yY4GWQULX4BLA6H1idRVmi30BsU2kXgG8sxexD6lHeOgzXdDyo37Yg3ugmOEvOYdHILmxJN4YCAou', 'mmrg5f1mMUj62LEjn1EaxJ9SsVkZUfpPBJEgKJhbtSRDN8WW7um4wXRkpzGczLmIRZ9kHPR71m3qeN54gwaY4', 'PgnI0sDTgxJEWKzEQJUMN4f3TtNvI16A6fTRm8clhKn1tpVXGV6JskS4eSZROHQtLWrdoen0QcKZvBDvzNuFC', 'OKxqO8XYJuyltztaKQfp6HxpEIGYlvxaV9fuS6XbEka3bfcU7tQ3Zmd7rCVsBRLmByfkEwFzPXIf5TVSHrrsD'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, QtgFaeGKyxRmojVdjTSnpzKTAuKxCE0MMlXn.csHigh entropy of concatenated method names: 'XQwDrcQEPC7VSpKsZt5B4BWiuN1pv9leR9K2', '_9qqB9HPyBwVndfRtTNwPhbu0aiaSK0PzdKVX', 'd9clTJhnJSguCzDuSHUhPAoji6ZbpoXkxEBJ', 'q6DePyOii7I6qFYHegObFKXntfTN', 'jcNP5KE8yKKZKWYhKM7dQYoQfxb8', 'cq4W0d9wFJD9L8HM06AhK20VEueR', 'ZDShiXz28KYSLlvLkFJazE2rpWxG', 'JdnbaOP0dlm8qJ4JsESquJoHo6zd', 'iEmIafNlhtux7g0B6UXkRxk4XGdA', 'BFel9Ya7PADD3S0NxzMMymwWbpVG'
              Source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, NeCZsTzgasnge0k42cPEMSZusZaPx4cBEG0X.csHigh entropy of concatenated method names: '_7wpYUgiVsEtLl4eDJANBBI8F3wa8KSLldjr7', 'mVtUCre2dWhShC7jf0pNIUWXmcK4', 'fsQpcKmgnDSBSkgO85yD2dZeJXph', 'ROqP7v5BExAIEm30FlvGoObGIwWQ', 'zbvV0SBgHxe9IPwFOHC2uiKN9MTv'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, YXQIf5uMFJSNwB7L2y.csHigh entropy of concatenated method names: 'fMHCDFISL2', 'le9CcBsuhe', 'fTqCCF2SMj', 'ptVCJdKfsY', 'aCEC6LXyvQ', 'NMlC9N8ZtL', 'Dispose', 'ExKLp79k8u', 'DgGLIv9vIP', 'FhXLiCtyJN'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, Ln7VLCUtkCJpd0DIXH.csHigh entropy of concatenated method names: 'nkciELn9BT', 'iXaiqBCM4x', 's1PiNb3XuD', 'nJWiUrmBO0', 'k0riDRo8LA', 's9vi3VNUc8', 'JXEicfIlmu', 'SfDiLNA0Rk', 'TMfiCB1r5n', 'aZ1is5Bjgm'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, FwkG8pBVBUqCrlbvMtg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E4e0Ch2IY7', 'ziU0s7qoZ7', 't2N0JZAW0G', 'fAM00W3KB5', 'ITH061yTK2', 'rZt0eJRFVU', 'c4W09Bhidq'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, Oiav3h8KdpZx6KWNv4.csHigh entropy of concatenated method names: 'mmJrjpOjau', 'EBQrpCtK8F', 'buFrIfwtQD', 'NB6rijXkMD', 'OT9r5PT18h', 'FLjrkrThkW', 'ArprtXKYUX', 'gGar8pmRmh', 'hS3rfISTDa', 'w8MrPpPEFf'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, HXGNoDoW4WBKCFiOg8.csHigh entropy of concatenated method names: 'WqqHNNGpej', 'N2xHUlmZ8C', 'jU0HvnW63W', 'ENTHABG4qI', 'vcjH2R5epV', 'pFgHGlQBqk', 'MWlHKxJ48E', 'kGXH7Gg49X', 'XG3HY0sNeB', 'vBfHbEylfE'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, nYwL6il4fIyk3Jqemq.csHigh entropy of concatenated method names: 'gHwcaZLRkl', 'QK1cdF1vWN', 'lpiLFacn5l', 'OjKLBHafE7', 'LOEcbVwDWj', 'ILDc44BcZh', 'ktmcoQLrOT', 'XqbcMf87EW', 'L2vcSH1Lel', 'L5LcRCfMXI'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, VoBqQtW70CWOO1Ye4m.csHigh entropy of concatenated method names: 'JUSQvamgD', 'N6mE4NeR5', 'orHqjqXJV', 'D5CngmuAk', 'AwyUbAabg', 'BJswBBlGt', 'f3rDRCAwGm2UGB11x4', 'qoWXBIB0WKTF8K9hsy', 'yDrLb4NAT', 'g9SsxSKd3'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, zLxGlBBWUv11T6d3T2S.csHigh entropy of concatenated method names: 'ToString', 'P6WJNLmKCU', 'lbcJUrvj79', 'i46JwNuq0U', 'qu8Jvo0p6R', 'jDlJA7t6ww', 'ktuJTe5WF5', 'PZHJ2EQ16I', 'igZcoBSybxolTmkNM7N', 'QZqwdRSfvECmNu5rO0y'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, EpNNJydueh5LUCm5yJ.csHigh entropy of concatenated method names: 'Ur4siKqnpN', 'VeJs5sTfE3', 'myrskTp9bu', 'DH8stbvRcD', 'm3OsCcoX1U', 'r1ys8357lU', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, PJIFmhyFhlsEG7LTV9.csHigh entropy of concatenated method names: 'WwvCvymb2h', 'vPkCAq7phU', 'eisCT3ZSJK', 'OdXC2Wllrb', 'MxfCGJpeaW', 'jAGCm72uFk', 'ICOCKMtgtU', 'uR3C7LO1Ek', 'iwRCh3ZLdU', 'fQKCYJwlPd'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, EmE2AFzFy4VIlJftEH.csHigh entropy of concatenated method names: 'IHlsqq33dk', 'yiMsNsQ56v', 'TIGsU6oviU', 'j9Qsvaa93e', 'ksysAqQCgf', 'BRLs2ySo1H', 'NMEsGXODLM', 'J6Xs9tcf5b', 'nXFsxTefhP', 'T0DsXhj7Vm'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, S8PnYDBrJSvVwh0QSsD.csHigh entropy of concatenated method names: 'OEWJdjGb3u', 'Np2JzM1FLA', 'hap0FRZwyH', 'xaWJPMScHBOUWTl6SvV', 'GeHdv0SzfEUlmkGg8sJ', 'w5ehPo9MnyarsCoDBMN'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, A9KrPLKPUfSKbU7Hp7.csHigh entropy of concatenated method names: 'YAAtpukimE', 'Pd1tigcR81', 'OUwtkQY2xu', 'f3skdnHSej', 'FvWkz72D4E', 'TQ5tFB1qjM', 'LdYtBN1g3B', 'gh0tWcuAQB', 'a8OtraBUW1', 'nNstVrHPg2'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, nIBNQLh7aVpHYdKD1h.csHigh entropy of concatenated method names: 'zXKtxUmRwX', 'UqDtXwhO3H', 'R5WtQo8EXP', 'R5OtEHNX8b', 'Oq9tOcMyu7', 'PyCtqPkwLu', 'xnGtn7t9EB', 'PMttNgY6bI', 'w10tUOjB16', 'UA9twKpXOK'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, lIi03mBBKOOeMUQ9Vk8.csHigh entropy of concatenated method names: 'OjFsdLc3jg', 'jdbszxCEli', 'dKkJFB2LfW', 'KnRJB7I1fF', 'gGXJWDOY8U', 'RjsJrt8jCX', 'tsxJVsiSJQ', 'qTuJjhlZEi', 'y7XJpkyvM5', 'mgMJIcJdgW'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, KD2vGmvRn9c0KTPsgc.csHigh entropy of concatenated method names: 'Qq4kjj5Ot0', 'kfOkI60d3j', 'rsok5Doi3E', 'b7NktVuEpI', 'F87k8nssQb', 'TuG5Zx2luv', 'rPQ5l0ybu5', 'VSq5uBYUyu', 'EAI5adXftV', 'Wta5ykcLpM'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, kq6NX3RcCMGRLvDNQc.csHigh entropy of concatenated method names: 'ToString', 'X8k3bx5c9D', 'hvC3A6Tkhv', 'tHU3TMubDo', 'prS32M999Z', 'Y4A3GTnPDY', 'zQF3mX41Ya', 'yao3KkkUfN', 'Bkr37eH6Iw', 'CmR3hFnpdr'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, O1qjxywG5BqBF8C24d.csHigh entropy of concatenated method names: 'nOj5O1xVJd', 'hwp5nDR1BT', 'BlpiTdiNID', 'tjmi218kwN', 'XGjiGPMfUb', 'F62imKg7cT', 'CMwiKn1PQM', 'Ia3i7FTabH', 'GcMih0EsLX', 'cKZiYdRkbD'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, BtlvSYNIayAioD58Ox.csHigh entropy of concatenated method names: 'Rl7IM8QWvK', 'eioISw0aVp', 'bmyIRiU2lU', 'zdyIgTudvU', 'GNPIZTvFvu', 'xCyIlXvQ58', 'hWnIulaeHT', 'pPnIa1XvWS', 'DhfIypGRlJ', 'FNQIdFW4l2'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, trQDfsVYQuG90QMItn.csHigh entropy of concatenated method names: 'hhOBttlvSY', 'fayB8AioD5', 'rtkBPCJpd0', 'oIXB1Hb1qj', 'kC2BD4dmD2', 'GGmB3Rn9c0', 'hoEfvXVLoNLr0GlHLD', 'fnpXx5Ovhj1Kr3q5wh', 'VsqBBh3IdH', 'Y54BrfW1TP'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, OkqEMggyKhvveUq69k.csHigh entropy of concatenated method names: 'vNmcP0XQdn', 'If2c1SSd4n', 'ToString', 'zbEcpTxGyY', 'rWlcIkxQCu', 'hpMciig3XW', 'LAhc5WaYoq', 'jfrckCWDFd', 'qEKctosAvQ', 'mVBc85083R'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, koCRFAMRlE6tUZyhru.csHigh entropy of concatenated method names: 'IpxDY8beA8', 'RcGD45kT6h', 'YU8DMdxxTt', 'RtsDSOMakr', 'DSdDAPUEJ5', 'L2oDTHKIZo', 'fItD2EGePV', 'kS4DG6P2nF', 'W0IDm4Yj6S', 'xLxDKWtyu1'
              Source: 0.2.x20U0QJMVC.exe.3de6398.4.raw.unpack, kyb9UjIanm1B9pBdv8.csHigh entropy of concatenated method names: 'Dispose', 'tSNBywB7L2', 'yqrWAPiiD4', 'fvkwqO5SW1', 'X9uBdWH2JZ', 'ffwBzsDw86', 'ProcessDialogKey', 'dA4WFJIFmh', 'ahlWBsEG7L', 'IV9WWUpNNJ'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, YXQIf5uMFJSNwB7L2y.csHigh entropy of concatenated method names: 'fMHCDFISL2', 'le9CcBsuhe', 'fTqCCF2SMj', 'ptVCJdKfsY', 'aCEC6LXyvQ', 'NMlC9N8ZtL', 'Dispose', 'ExKLp79k8u', 'DgGLIv9vIP', 'FhXLiCtyJN'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, Ln7VLCUtkCJpd0DIXH.csHigh entropy of concatenated method names: 'nkciELn9BT', 'iXaiqBCM4x', 's1PiNb3XuD', 'nJWiUrmBO0', 'k0riDRo8LA', 's9vi3VNUc8', 'JXEicfIlmu', 'SfDiLNA0Rk', 'TMfiCB1r5n', 'aZ1is5Bjgm'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, FwkG8pBVBUqCrlbvMtg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E4e0Ch2IY7', 'ziU0s7qoZ7', 't2N0JZAW0G', 'fAM00W3KB5', 'ITH061yTK2', 'rZt0eJRFVU', 'c4W09Bhidq'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, Oiav3h8KdpZx6KWNv4.csHigh entropy of concatenated method names: 'mmJrjpOjau', 'EBQrpCtK8F', 'buFrIfwtQD', 'NB6rijXkMD', 'OT9r5PT18h', 'FLjrkrThkW', 'ArprtXKYUX', 'gGar8pmRmh', 'hS3rfISTDa', 'w8MrPpPEFf'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, HXGNoDoW4WBKCFiOg8.csHigh entropy of concatenated method names: 'WqqHNNGpej', 'N2xHUlmZ8C', 'jU0HvnW63W', 'ENTHABG4qI', 'vcjH2R5epV', 'pFgHGlQBqk', 'MWlHKxJ48E', 'kGXH7Gg49X', 'XG3HY0sNeB', 'vBfHbEylfE'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, nYwL6il4fIyk3Jqemq.csHigh entropy of concatenated method names: 'gHwcaZLRkl', 'QK1cdF1vWN', 'lpiLFacn5l', 'OjKLBHafE7', 'LOEcbVwDWj', 'ILDc44BcZh', 'ktmcoQLrOT', 'XqbcMf87EW', 'L2vcSH1Lel', 'L5LcRCfMXI'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, VoBqQtW70CWOO1Ye4m.csHigh entropy of concatenated method names: 'JUSQvamgD', 'N6mE4NeR5', 'orHqjqXJV', 'D5CngmuAk', 'AwyUbAabg', 'BJswBBlGt', 'f3rDRCAwGm2UGB11x4', 'qoWXBIB0WKTF8K9hsy', 'yDrLb4NAT', 'g9SsxSKd3'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, zLxGlBBWUv11T6d3T2S.csHigh entropy of concatenated method names: 'ToString', 'P6WJNLmKCU', 'lbcJUrvj79', 'i46JwNuq0U', 'qu8Jvo0p6R', 'jDlJA7t6ww', 'ktuJTe5WF5', 'PZHJ2EQ16I', 'igZcoBSybxolTmkNM7N', 'QZqwdRSfvECmNu5rO0y'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, EpNNJydueh5LUCm5yJ.csHigh entropy of concatenated method names: 'Ur4siKqnpN', 'VeJs5sTfE3', 'myrskTp9bu', 'DH8stbvRcD', 'm3OsCcoX1U', 'r1ys8357lU', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, PJIFmhyFhlsEG7LTV9.csHigh entropy of concatenated method names: 'WwvCvymb2h', 'vPkCAq7phU', 'eisCT3ZSJK', 'OdXC2Wllrb', 'MxfCGJpeaW', 'jAGCm72uFk', 'ICOCKMtgtU', 'uR3C7LO1Ek', 'iwRCh3ZLdU', 'fQKCYJwlPd'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, EmE2AFzFy4VIlJftEH.csHigh entropy of concatenated method names: 'IHlsqq33dk', 'yiMsNsQ56v', 'TIGsU6oviU', 'j9Qsvaa93e', 'ksysAqQCgf', 'BRLs2ySo1H', 'NMEsGXODLM', 'J6Xs9tcf5b', 'nXFsxTefhP', 'T0DsXhj7Vm'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, S8PnYDBrJSvVwh0QSsD.csHigh entropy of concatenated method names: 'OEWJdjGb3u', 'Np2JzM1FLA', 'hap0FRZwyH', 'xaWJPMScHBOUWTl6SvV', 'GeHdv0SzfEUlmkGg8sJ', 'w5ehPo9MnyarsCoDBMN'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, A9KrPLKPUfSKbU7Hp7.csHigh entropy of concatenated method names: 'YAAtpukimE', 'Pd1tigcR81', 'OUwtkQY2xu', 'f3skdnHSej', 'FvWkz72D4E', 'TQ5tFB1qjM', 'LdYtBN1g3B', 'gh0tWcuAQB', 'a8OtraBUW1', 'nNstVrHPg2'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, nIBNQLh7aVpHYdKD1h.csHigh entropy of concatenated method names: 'zXKtxUmRwX', 'UqDtXwhO3H', 'R5WtQo8EXP', 'R5OtEHNX8b', 'Oq9tOcMyu7', 'PyCtqPkwLu', 'xnGtn7t9EB', 'PMttNgY6bI', 'w10tUOjB16', 'UA9twKpXOK'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, lIi03mBBKOOeMUQ9Vk8.csHigh entropy of concatenated method names: 'OjFsdLc3jg', 'jdbszxCEli', 'dKkJFB2LfW', 'KnRJB7I1fF', 'gGXJWDOY8U', 'RjsJrt8jCX', 'tsxJVsiSJQ', 'qTuJjhlZEi', 'y7XJpkyvM5', 'mgMJIcJdgW'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, KD2vGmvRn9c0KTPsgc.csHigh entropy of concatenated method names: 'Qq4kjj5Ot0', 'kfOkI60d3j', 'rsok5Doi3E', 'b7NktVuEpI', 'F87k8nssQb', 'TuG5Zx2luv', 'rPQ5l0ybu5', 'VSq5uBYUyu', 'EAI5adXftV', 'Wta5ykcLpM'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, kq6NX3RcCMGRLvDNQc.csHigh entropy of concatenated method names: 'ToString', 'X8k3bx5c9D', 'hvC3A6Tkhv', 'tHU3TMubDo', 'prS32M999Z', 'Y4A3GTnPDY', 'zQF3mX41Ya', 'yao3KkkUfN', 'Bkr37eH6Iw', 'CmR3hFnpdr'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, O1qjxywG5BqBF8C24d.csHigh entropy of concatenated method names: 'nOj5O1xVJd', 'hwp5nDR1BT', 'BlpiTdiNID', 'tjmi218kwN', 'XGjiGPMfUb', 'F62imKg7cT', 'CMwiKn1PQM', 'Ia3i7FTabH', 'GcMih0EsLX', 'cKZiYdRkbD'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, BtlvSYNIayAioD58Ox.csHigh entropy of concatenated method names: 'Rl7IM8QWvK', 'eioISw0aVp', 'bmyIRiU2lU', 'zdyIgTudvU', 'GNPIZTvFvu', 'xCyIlXvQ58', 'hWnIulaeHT', 'pPnIa1XvWS', 'DhfIypGRlJ', 'FNQIdFW4l2'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, trQDfsVYQuG90QMItn.csHigh entropy of concatenated method names: 'hhOBttlvSY', 'fayB8AioD5', 'rtkBPCJpd0', 'oIXB1Hb1qj', 'kC2BD4dmD2', 'GGmB3Rn9c0', 'hoEfvXVLoNLr0GlHLD', 'fnpXx5Ovhj1Kr3q5wh', 'VsqBBh3IdH', 'Y54BrfW1TP'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, OkqEMggyKhvveUq69k.csHigh entropy of concatenated method names: 'vNmcP0XQdn', 'If2c1SSd4n', 'ToString', 'zbEcpTxGyY', 'rWlcIkxQCu', 'hpMciig3XW', 'LAhc5WaYoq', 'jfrckCWDFd', 'qEKctosAvQ', 'mVBc85083R'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, koCRFAMRlE6tUZyhru.csHigh entropy of concatenated method names: 'IpxDY8beA8', 'RcGD45kT6h', 'YU8DMdxxTt', 'RtsDSOMakr', 'DSdDAPUEJ5', 'L2oDTHKIZo', 'fItD2EGePV', 'kS4DG6P2nF', 'W0IDm4Yj6S', 'xLxDKWtyu1'
              Source: 0.2.x20U0QJMVC.exe.3ce0cc8.5.raw.unpack, kyb9UjIanm1B9pBdv8.csHigh entropy of concatenated method names: 'Dispose', 'tSNBywB7L2', 'yqrWAPiiD4', 'fvkwqO5SW1', 'X9uBdWH2JZ', 'ffwBzsDw86', 'ProcessDialogKey', 'dA4WFJIFmh', 'ahlWBsEG7L', 'IV9WWUpNNJ'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, XsBv7xzevXPPfkH1qcXwf7SM7u0njOOAmYSQzFIFm6lxMQExmqvXP2k3kY.csHigh entropy of concatenated method names: 'jBXqu1bnIartDeN8cjnqhNQ3mT235UGHXTeWCNgLQHb4RvFOydMJ3', '_736knBzUbXb6c5I9IA4gvPQM2xh4L42KGddZE9F97Ob21iCd4Rao7', 'ASvsQG0QYZ3Sest5kDi5Mk8qUXa3fLd9PdFc1oBJ5EEp1tRKIWfNu', '_6KIWbfnSEAT0wmPLCZ3zVXZ6aH7o7uYybmpXkX9ox7qenp3ft6HVH'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, Q23KkkGXkXR0gOAHoqr4zEz26VdgzkDwel7ccUpGGxlGOyVzRMFvL7ftoX7PHCzaaFWB.csHigh entropy of concatenated method names: 'CIalY5BtsFG4fCcUqHCzpPkTxmTKHll12u6h8ipvByk4x7anxhYboQnj3Ngdcwo8ZEKg', '_4m7QTxXVyHyuY4BF1mcSK5CWldeJdfqTqE5kvq6oQsjfrXkTLCRTdOVPovzXEBhIa8Ft', 'QKTRCBomeg33HYcRSI2tXXJs2Nd3v8Pp0tI6Nxztvs0MtMEJFokQJJ08070u9u4yCnhH', 'au1anuOkO1zUW', 'zkf6Y6u64QokP', '_4l7RX4jvZ08A4', 'mdvCG7viunOPO', 'vebrVVRkfYmai', 'BkIWdZeR3qKqX', 'UfGLJzRY3oZAb'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, ipNhDKQpkkGPikicR0nLfuD5KJ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'i2QaluyeFpF92OZDh7jJuMa3Y1d5E2leWZfPvAddhd5ppIv1vQgZh', 'NQKR743A8prX8KYRjWd84VYLNVRA0LFfX9pOdQCgcw8otVZ9SLdC7', 'O1UysStdA7qI3ToR9y9wkYu1hRt2HeTM0bn9Yhrs1tkFawb6QImMH', 'JHh9soP3kVtlg2mfylfR4XmEvX7DGHamkKV5UEvmLK10JPHMi9hwC'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, GRgiGy85IIPC62gdHoTIDRM5cUpK5rQ5U64x.csHigh entropy of concatenated method names: 'a4tOdDF0TBci1a4SesUFX8qHJwiXVMY6AugA', '_8nrgUWL52Vo8Szg5sFINgmD1LHQ1', 'ek9rxI0fpbau1HFsKZwbbJb99AsM', 'RQAwaEQA0mkPMudont1ztEgx438D', 'jLwC9Y5VCFp8j4rKZrbw8wIp9KPQ'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, K1yAT7kLSmTbXV9P6iT88Sjdvdgb3Kc7iFvv.csHigh entropy of concatenated method names: 'jewEfN36otRDHo7f2WITO5jeikj6bmUkZsQd', 'meZmIuGnVo3moQhwWhq7uX5GrgMePPtbMQ2V', 'ndm3z3ysoYkGtmJrFZzjogfeZD0TyH807Rmq', 's9zDnr9lAaARaJXX0gn5Gm7ObxZNz0sUcAn9', 'oMrWAOPuhb0aAfb1DDNVe4rQZOYXs6rcj5q5', '_95TpxYyv57YcQ5NroJtcx2o8dv3RhazApMoq', 'Ofpm3fG3llvzUfdBh7RS6yrrB04UvTMKApG8', 'dpK1jZ6OiUokKG46C9GXB1u45Y17AWGoYt7O', 'qnLD6T9TsV3Dn8t1ErBHagzLn9Hw9lS2D2OC', 'auJXP6KzSVyKj9pxRvJ5uu3RBKj1rosXC3sC'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, 6r9Ik17VUBaMPNyzNu5DAjoXerSGLmr1Rc9pFRvg400BxgcUhmwPpJt5oidp4HstItIl2SgnO69DNRDmzdzilI4hvE26f.csHigh entropy of concatenated method names: 'fkaHKKS3cGWVIgKiKaJIRmBh4yMZNtI83KaTb9DFDxC2g9t8J9i0AM5BdlKudx8IPnUraY6AcyM6o5D3Q3rQSIatWOog2', 'fBvBDdkqVksKA1diLE2B8wcKyaipQ56ZckjH4Wti8zwp6dRqMwvDREBkoyU6gajbiZifABxTmN27pWInK9a2d951rHUeg', 'k9Tcnlc04e8DaG0WykI1sqpThqRaIROnwbGlWNjRNzwJzcjt3It9kZnfQg2rjxvnkQMtYLYxqV1S9OBd4DsQCRtW2gSQl', 'a2G19Rxd2rxdoRxt7fKc23NtMM2y5hb5xEHnggmQhmV7qxHMNBgcpCoNbJ5l3qV2S3uFtSOR8Pnw0QhvEHVIJpfQd6Y5r', 'e9G3c9m46qt3ayutVb7cyYiWsmZCxelaFvuZOs3ec5qj2tcQiQjkBmRfdNhTP5sCH8MeXljJF3o70pYIYxLJ6Lh7UtUc4', 'r9YfZOdTJDZ0wXIetv2Ok5QzbNUwVh0OdGwzkFGC3hPAN6bC5pL9aQMhukeZIFWDKKHjQI0SbzZ7sLTaRj2vckLNvZxeE', 'zjSTvXmGwEhxeihjopHUWIaQJqFGuDKgf4rZixfonRT8ECwHPgBy1WGErOBc32n36S1iIMtXOxmMvpiTdJZGTErDW7Ue6', '_5aGL0l4icUhAQVnyfPf9JFtDxMWfINtdXe97ahHhngLEhReSw6HpGjajqCBMmwwiIdo0K3PY2mSnsGyUk3ZIGJMu12NoQ', 'a3dIRUVCZcfLM6RsAVUk74XEMbDsWS31OokpCgod69oEvioXH8Xjng6OZouiXKCvhAiCCoH4Iaf8G7zLZjZVlYOddGQu4', 'LkKIbbXzKSX7wvGooTZPvIMzvHkAZewnzaPp2CbjwPAkF3AId7cskvLeUWa2wEoAVpNGdvIRURVXwoCvmFsoV4igoqIcI'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, xeeTTlvFvTWtAHk5Apy73k5Qhl5yvqtlAPrg.csHigh entropy of concatenated method names: 'RftdwedHVVBEA6O3eDuTUtLvsj84CJU4Hnwn', '_9lB20hgsJtbwu4Dq6gfyrpyNTT3oHMT5YsFT', 'Fr3maN5Pew72qVpt69VA8bAbUdneLWwZ3s23', 'iNp4YKccAoZdtWht2Logla1m79TBpZJ8jIVm', 'FtnGUJWIG8Lgbw7tmrwxzhTwcggfnuFSecaL', 'NR0M7TGSomw4ggB3rJfgKvixPsmVIRpCCaGi', '_2zOi9Wvq6pxH9OveLmgnp9t7AqaMOYTetDD2', 'PWldhZtrjP8L2IUTy523wmUTIsKfzX05bAev', '_1elyC22RFjbsHPIybaMqeY8wON52VSY54zhD', 'tPISYQEavjAfiVtU5J6qyG4SUAPVoBQtc7rt'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, Mkq6JOPXfJ0mPyDgrpXHkCxWagnsXa3XvNLkFgE7lQHhwSJRhL4OmhgCFdjTrHr1LatbYg4gFjwpjhfrAssiF71ojwAwS.csHigh entropy of concatenated method names: 'Fr1rTvYGfcgCpjhDjlIm8UdHs9HdigPeim0zxXp16bZBkJH3fidbl65WLcX3bOwpkCGXxSSfDgLwA640FX0I4HwPPr8mU', 'xAnxr55OcU6gIrvkV1BRjiAUVNlCMijiyKTA8FWo6snd2TDQZaUaL3XF0pnpHGsJBbD5nYcIZFAj2CMxH0ebczMd8WMVv', 'Q4Rk72nNblu08dsgjUDoxTSvfbeqxH9fvvea55bxSbWMx4iD1JJKbTztC2498KUZWyhb3TTcW49isuDbNitg5wOP0PHAA', 'UTxsjjAVvoCe1OKlJVdChYR70Tk5gsWFhctYQAj0eiD00XYyVER0O', 'TwnCxIKVvKFrmpXOrS7bXGejnEO2p8sJFUVZpfT6VjA0M79T05qYx', 'jBAmb9tKgeT4orBIx1dplIwdAtPWsLFpOGk8k2YXUbwKHpufmaFVdGPhidje09Z071QriLJ9MxStkK4hFjRCa', 'fqQpyJb7yY4GWQULX4BLA6H1idRVmi30BsU2kXgG8sxexD6lHeOgzXdDyo37Yg3ugmOEvOYdHILmxJN4YCAou', 'mmrg5f1mMUj62LEjn1EaxJ9SsVkZUfpPBJEgKJhbtSRDN8WW7um4wXRkpzGczLmIRZ9kHPR71m3qeN54gwaY4', 'PgnI0sDTgxJEWKzEQJUMN4f3TtNvI16A6fTRm8clhKn1tpVXGV6JskS4eSZROHQtLWrdoen0QcKZvBDvzNuFC', 'OKxqO8XYJuyltztaKQfp6HxpEIGYlvxaV9fuS6XbEka3bfcU7tQ3Zmd7rCVsBRLmByfkEwFzPXIf5TVSHrrsD'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, QtgFaeGKyxRmojVdjTSnpzKTAuKxCE0MMlXn.csHigh entropy of concatenated method names: 'XQwDrcQEPC7VSpKsZt5B4BWiuN1pv9leR9K2', '_9qqB9HPyBwVndfRtTNwPhbu0aiaSK0PzdKVX', 'd9clTJhnJSguCzDuSHUhPAoji6ZbpoXkxEBJ', 'q6DePyOii7I6qFYHegObFKXntfTN', 'jcNP5KE8yKKZKWYhKM7dQYoQfxb8', 'cq4W0d9wFJD9L8HM06AhK20VEueR', 'ZDShiXz28KYSLlvLkFJazE2rpWxG', 'JdnbaOP0dlm8qJ4JsESquJoHo6zd', 'iEmIafNlhtux7g0B6UXkRxk4XGdA', 'BFel9Ya7PADD3S0NxzMMymwWbpVG'
              Source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, NeCZsTzgasnge0k42cPEMSZusZaPx4cBEG0X.csHigh entropy of concatenated method names: '_7wpYUgiVsEtLl4eDJANBBI8F3wa8KSLldjr7', 'mVtUCre2dWhShC7jf0pNIUWXmcK4', 'fsQpcKmgnDSBSkgO85yD2dZeJXph', 'ROqP7v5BExAIEm30FlvGoObGIwWQ', 'zbvV0SBgHxe9IPwFOHC2uiKN9MTv'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, YXQIf5uMFJSNwB7L2y.csHigh entropy of concatenated method names: 'fMHCDFISL2', 'le9CcBsuhe', 'fTqCCF2SMj', 'ptVCJdKfsY', 'aCEC6LXyvQ', 'NMlC9N8ZtL', 'Dispose', 'ExKLp79k8u', 'DgGLIv9vIP', 'FhXLiCtyJN'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, Ln7VLCUtkCJpd0DIXH.csHigh entropy of concatenated method names: 'nkciELn9BT', 'iXaiqBCM4x', 's1PiNb3XuD', 'nJWiUrmBO0', 'k0riDRo8LA', 's9vi3VNUc8', 'JXEicfIlmu', 'SfDiLNA0Rk', 'TMfiCB1r5n', 'aZ1is5Bjgm'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, FwkG8pBVBUqCrlbvMtg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E4e0Ch2IY7', 'ziU0s7qoZ7', 't2N0JZAW0G', 'fAM00W3KB5', 'ITH061yTK2', 'rZt0eJRFVU', 'c4W09Bhidq'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, Oiav3h8KdpZx6KWNv4.csHigh entropy of concatenated method names: 'mmJrjpOjau', 'EBQrpCtK8F', 'buFrIfwtQD', 'NB6rijXkMD', 'OT9r5PT18h', 'FLjrkrThkW', 'ArprtXKYUX', 'gGar8pmRmh', 'hS3rfISTDa', 'w8MrPpPEFf'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, HXGNoDoW4WBKCFiOg8.csHigh entropy of concatenated method names: 'WqqHNNGpej', 'N2xHUlmZ8C', 'jU0HvnW63W', 'ENTHABG4qI', 'vcjH2R5epV', 'pFgHGlQBqk', 'MWlHKxJ48E', 'kGXH7Gg49X', 'XG3HY0sNeB', 'vBfHbEylfE'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, nYwL6il4fIyk3Jqemq.csHigh entropy of concatenated method names: 'gHwcaZLRkl', 'QK1cdF1vWN', 'lpiLFacn5l', 'OjKLBHafE7', 'LOEcbVwDWj', 'ILDc44BcZh', 'ktmcoQLrOT', 'XqbcMf87EW', 'L2vcSH1Lel', 'L5LcRCfMXI'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, VoBqQtW70CWOO1Ye4m.csHigh entropy of concatenated method names: 'JUSQvamgD', 'N6mE4NeR5', 'orHqjqXJV', 'D5CngmuAk', 'AwyUbAabg', 'BJswBBlGt', 'f3rDRCAwGm2UGB11x4', 'qoWXBIB0WKTF8K9hsy', 'yDrLb4NAT', 'g9SsxSKd3'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, zLxGlBBWUv11T6d3T2S.csHigh entropy of concatenated method names: 'ToString', 'P6WJNLmKCU', 'lbcJUrvj79', 'i46JwNuq0U', 'qu8Jvo0p6R', 'jDlJA7t6ww', 'ktuJTe5WF5', 'PZHJ2EQ16I', 'igZcoBSybxolTmkNM7N', 'QZqwdRSfvECmNu5rO0y'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, EpNNJydueh5LUCm5yJ.csHigh entropy of concatenated method names: 'Ur4siKqnpN', 'VeJs5sTfE3', 'myrskTp9bu', 'DH8stbvRcD', 'm3OsCcoX1U', 'r1ys8357lU', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, PJIFmhyFhlsEG7LTV9.csHigh entropy of concatenated method names: 'WwvCvymb2h', 'vPkCAq7phU', 'eisCT3ZSJK', 'OdXC2Wllrb', 'MxfCGJpeaW', 'jAGCm72uFk', 'ICOCKMtgtU', 'uR3C7LO1Ek', 'iwRCh3ZLdU', 'fQKCYJwlPd'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, EmE2AFzFy4VIlJftEH.csHigh entropy of concatenated method names: 'IHlsqq33dk', 'yiMsNsQ56v', 'TIGsU6oviU', 'j9Qsvaa93e', 'ksysAqQCgf', 'BRLs2ySo1H', 'NMEsGXODLM', 'J6Xs9tcf5b', 'nXFsxTefhP', 'T0DsXhj7Vm'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, S8PnYDBrJSvVwh0QSsD.csHigh entropy of concatenated method names: 'OEWJdjGb3u', 'Np2JzM1FLA', 'hap0FRZwyH', 'xaWJPMScHBOUWTl6SvV', 'GeHdv0SzfEUlmkGg8sJ', 'w5ehPo9MnyarsCoDBMN'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, A9KrPLKPUfSKbU7Hp7.csHigh entropy of concatenated method names: 'YAAtpukimE', 'Pd1tigcR81', 'OUwtkQY2xu', 'f3skdnHSej', 'FvWkz72D4E', 'TQ5tFB1qjM', 'LdYtBN1g3B', 'gh0tWcuAQB', 'a8OtraBUW1', 'nNstVrHPg2'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, nIBNQLh7aVpHYdKD1h.csHigh entropy of concatenated method names: 'zXKtxUmRwX', 'UqDtXwhO3H', 'R5WtQo8EXP', 'R5OtEHNX8b', 'Oq9tOcMyu7', 'PyCtqPkwLu', 'xnGtn7t9EB', 'PMttNgY6bI', 'w10tUOjB16', 'UA9twKpXOK'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, lIi03mBBKOOeMUQ9Vk8.csHigh entropy of concatenated method names: 'OjFsdLc3jg', 'jdbszxCEli', 'dKkJFB2LfW', 'KnRJB7I1fF', 'gGXJWDOY8U', 'RjsJrt8jCX', 'tsxJVsiSJQ', 'qTuJjhlZEi', 'y7XJpkyvM5', 'mgMJIcJdgW'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, KD2vGmvRn9c0KTPsgc.csHigh entropy of concatenated method names: 'Qq4kjj5Ot0', 'kfOkI60d3j', 'rsok5Doi3E', 'b7NktVuEpI', 'F87k8nssQb', 'TuG5Zx2luv', 'rPQ5l0ybu5', 'VSq5uBYUyu', 'EAI5adXftV', 'Wta5ykcLpM'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, kq6NX3RcCMGRLvDNQc.csHigh entropy of concatenated method names: 'ToString', 'X8k3bx5c9D', 'hvC3A6Tkhv', 'tHU3TMubDo', 'prS32M999Z', 'Y4A3GTnPDY', 'zQF3mX41Ya', 'yao3KkkUfN', 'Bkr37eH6Iw', 'CmR3hFnpdr'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, O1qjxywG5BqBF8C24d.csHigh entropy of concatenated method names: 'nOj5O1xVJd', 'hwp5nDR1BT', 'BlpiTdiNID', 'tjmi218kwN', 'XGjiGPMfUb', 'F62imKg7cT', 'CMwiKn1PQM', 'Ia3i7FTabH', 'GcMih0EsLX', 'cKZiYdRkbD'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, BtlvSYNIayAioD58Ox.csHigh entropy of concatenated method names: 'Rl7IM8QWvK', 'eioISw0aVp', 'bmyIRiU2lU', 'zdyIgTudvU', 'GNPIZTvFvu', 'xCyIlXvQ58', 'hWnIulaeHT', 'pPnIa1XvWS', 'DhfIypGRlJ', 'FNQIdFW4l2'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, trQDfsVYQuG90QMItn.csHigh entropy of concatenated method names: 'hhOBttlvSY', 'fayB8AioD5', 'rtkBPCJpd0', 'oIXB1Hb1qj', 'kC2BD4dmD2', 'GGmB3Rn9c0', 'hoEfvXVLoNLr0GlHLD', 'fnpXx5Ovhj1Kr3q5wh', 'VsqBBh3IdH', 'Y54BrfW1TP'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, OkqEMggyKhvveUq69k.csHigh entropy of concatenated method names: 'vNmcP0XQdn', 'If2c1SSd4n', 'ToString', 'zbEcpTxGyY', 'rWlcIkxQCu', 'hpMciig3XW', 'LAhc5WaYoq', 'jfrckCWDFd', 'qEKctosAvQ', 'mVBc85083R'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, koCRFAMRlE6tUZyhru.csHigh entropy of concatenated method names: 'IpxDY8beA8', 'RcGD45kT6h', 'YU8DMdxxTt', 'RtsDSOMakr', 'DSdDAPUEJ5', 'L2oDTHKIZo', 'fItD2EGePV', 'kS4DG6P2nF', 'W0IDm4Yj6S', 'xLxDKWtyu1'
              Source: 0.2.x20U0QJMVC.exe.80f0000.7.raw.unpack, kyb9UjIanm1B9pBdv8.csHigh entropy of concatenated method names: 'Dispose', 'tSNBywB7L2', 'yqrWAPiiD4', 'fvkwqO5SW1', 'X9uBdWH2JZ', 'ffwBzsDw86', 'ProcessDialogKey', 'dA4WFJIFmh', 'ahlWBsEG7L', 'IV9WWUpNNJ'
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile created: C:\Users\user\AppData\Roaming\MicroSoftEdge.exeJump to dropped file
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftEdge.lnkJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\LinkageJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\LinkageJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftEdge.lnkJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: x20U0QJMVC.exe PID: 6388, type: MEMORYSTR
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 4B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: A030000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 88D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: B030000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: C030000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 33C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeWindow / User API: threadDelayed 6564Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeWindow / User API: threadDelayed 3278Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exe TID: 6436Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exe TID: 5200Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exe TID: 1960Thread sleep count: 6564 > 30Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exe TID: 1960Thread sleep count: 3278 > 30Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Amcache.hve.16.drBinary or memory string: VMware
              Source: x20U0QJMVC.exe, 00000000.00000002.1113287251.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processoro
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $|q!Hyper-V Virtual Machine Bus Pipes
              Source: x20U0QJMVC.exe, 00000000.00000002.1113455230.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
              Source: Amcache.hve.16.drBinary or memory string: VMware Virtual USB Mouse
              Source: x20U0QJMVC.exe, 00000000.00000002.1123572497.0000000005360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
              Source: Amcache.hve.16.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.16.drBinary or memory string: VMware, Inc.
              Source: x20U0QJMVC.exe, 00000000.00000002.1123412362.0000000005266000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
              Source: Amcache.hve.16.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.16.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: x20U0QJMVC.exe, 00000000.00000002.1113455230.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V dcykthquvnbgtpv Bus
              Source: x20U0QJMVC.exe, 00000000.00000002.1113675353.0000000000F39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
              Source: Amcache.hve.16.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.16.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $|q*Hyper-V Dynamic Memory Integration Service
              Source: x20U0QJMVC.exe, 00000000.00000002.1123412362.0000000005271000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Servicel
              Source: Amcache.hve.16.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.16.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
              Source: Amcache.hve.16.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: x20U0QJMVC.exe, 00000000.00000002.1113455230.0000000000E96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorlj
              Source: Amcache.hve.16.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: x20U0QJMVC.exe, 00000004.00000002.2255992444.00000000014BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $|q$Hyper-V Hypervisor Logical Processor
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $|q)Hyper-V Hypervisor Root Virtual Processor
              Source: Amcache.hve.16.drBinary or memory string: vmci.sys
              Source: x20U0QJMVC.exe, 00000000.00000002.1113675353.0000000000F39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
              Source: Amcache.hve.16.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.16.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.16.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.16.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
              Source: Amcache.hve.16.drBinary or memory string: VMware20,1
              Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.16.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.16.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.16.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.16.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.16.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: x20U0QJMVC.exe, 00000000.00000002.1113455230.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V dcykthquvnbgtpv Bus Pipes
              Source: Amcache.hve.16.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.16.drBinary or memory string: VMware Virtual RAM
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
              Source: x20U0QJMVC.exe, 00000000.00000002.1114600439.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $|q!Hyper-V Hypervisor Root Partition
              Source: Amcache.hve.16.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.16.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeMemory written: C:\Users\user\Desktop\x20U0QJMVC.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeProcess created: C:\Users\user\Desktop\x20U0QJMVC.exe "C:\Users\user\Desktop\x20U0QJMVC.exe"Jump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Users\user\Desktop\x20U0QJMVC.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Users\user\Desktop\x20U0QJMVC.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation BiasJump to behavior
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.16.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.16.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.16.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.16.drBinary or memory string: MsMpEng.exe
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\x20U0QJMVC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2beee68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2bff354.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2257147741.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: x20U0QJMVC.exe PID: 6388, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: x20U0QJMVC.exe PID: 1332, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2beee68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2bff354.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2bff354.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.x20U0QJMVC.exe.2beee68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2257147741.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: x20U0QJMVC.exe PID: 6388, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: x20U0QJMVC.exe PID: 1332, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		2
              Windows Service              		2
              Windows Service              		1
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Registry Run Keys / Startup Folder              		111
              Process Injection              		1
              Disable or Modify Tools              		LSASS Memory231
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		2
              Registry Run Keys / Startup Folder              		141
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		111
              Process Injection              		NTDS141
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
              Obfuscated Files or Information              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              x20U0QJMVC.exe75%ReversingLabsByteCode-MSIL.Backdoor.FormBook
              x20U0QJMVC.exe71%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\MicroSoftEdge.exe75%ReversingLabsByteCode-MSIL.Backdoor.FormBook

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              wqo9.firewall-gateway.de100%Avira URL Cloudmalware
              doe.ydns.eu0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              doe.ydns.eu
              		94.156.227.193
              		truetrue
                		unknown
                wqo9.firewall-gateway.de
                		104.245.240.158
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  doe.ydns.eutrue
                  • Avira URL Cloud: safe
                  		unknown
                  wqo9.firewall-gateway.detrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.16.drfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex20U0QJMVC.exe, 00000004.00000002.2257147741.00000000033C1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.245.240.158
                      		wqo9.firewall-gateway.deUnited States
                      		8100ASN-QUADRANET-GLOBALUSfalse
                      94.156.227.193
                      		doe.ydns.euBulgaria
                      		57463NETIXBGtrue

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1634546
                      Start date and time:2025-03-11 01:16:20 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 31s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:18
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:x20U0QJMVC.exe
                      renamed because original name is a hash value
                      Original Sample Name:21b3ce427475b47076786585d7041284d6904b77cc3fe4ed9bb0c58f2b98f326.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@4/9@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 74
                      • Number of non-executed functions: 15
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, WmiApSrv.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 40.69.147.202, 23.60.203.209, 4.245.163.56, 40.126.32.140
                      • Excluded domains from analysis (whitelisted): onedsblobvmssprdcus02.centralus.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      01:17:28AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftEdge.lnk
                      20:17:20API Interceptor1681742x Sleep call for process: x20U0QJMVC.exe modified
                      20:19:09API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.245.240.1587I7TOCVsCr.exeGet hashmaliciousXWormBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        wqo9.firewall-gateway.de7I7TOCVsCr.exeGet hashmaliciousXWormBrowse
                        • 104.245.240.158
                        SecuriteInfo.com.Win32.MalwareX-gen.28486.22987.exeGet hashmaliciousXWormBrowse
                        • 94.6.68.101
                        Quote SMT 000195829957-20250218.pdf(83kB.com.exeGet hashmaliciousXWormBrowse
                        • 94.6.68.101
                        ppZrIGFA6W.exeGet hashmaliciousQuasarBrowse
                        • 94.6.68.101

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        NETIXBGSecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeGet hashmaliciousUnknownBrowse
                        • 94.156.227.9
                        SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exeGet hashmaliciousUnknownBrowse
                        • 94.156.227.9
                        SecuriteInfo.com.Win64.DropperX-gen.28891.2079.exeGet hashmaliciousUnknownBrowse
                        • 94.156.227.9
                        B4GfvCkDS6.exeGet hashmaliciousMeduza StealerBrowse
                        • 94.156.227.99
                        BugSplat64.dll.dllGet hashmaliciousXWormBrowse
                        • 94.156.227.37
                        SecuriteInfo.com.Win32.AdwareX-gen.9554.24737.exeGet hashmaliciousXWormBrowse
                        • 94.156.227.220
                        sparc.elfGet hashmaliciousUnknownBrowse
                        • 94.156.227.135
                        ppc.elfGet hashmaliciousMirai, MoobotBrowse
                        • 94.156.227.74
                        sh4.elfGet hashmaliciousMirai, MoobotBrowse
                        • 94.156.227.74
                        ppc.elfGet hashmaliciousMirai, MoobotBrowse
                        • 94.156.227.74
                        ASN-QUADRANET-GLOBALUSATT09858.htmGet hashmaliciousHTMLPhisherBrowse
                        • 185.174.100.76
                        7I7TOCVsCr.exeGet hashmaliciousXWormBrowse
                        • 104.245.240.123
                        gif.elfGet hashmaliciousXmrigBrowse
                        • 107.167.34.74
                        gif.elfGet hashmaliciousXmrigBrowse
                        • 107.167.34.74
                        apep.spc.elfGet hashmaliciousUnknownBrowse
                        • 104.247.172.135
                        gif.elfGet hashmaliciousXmrigBrowse
                        • 107.167.34.74
                        https://www.google.com/url?q=https%3A%2F%2Fpoizonus.com%2Fsu&sa=D&sntz=1&usg=AOvVaw1vivNuhukc7YPqnTjOKT1g&af6pbi8nqbgwu55cw518lklmc8rlvoy3529npBRmIAzUEe9djvzki8kdrm19expwx==fFx66xNbaFwp2wAuYMKsTBscURqb78mwqYpIp~JQ~1pwu5ro8b7dregga8ni8pcjy70e8jw2c#~JQ~p0FmCojG8ZOE3336PK8YJ7SAxYr==X2K3pHjUpcsHSSJsm15nFJNZBrB3eBocYRdGet hashmaliciousUnknownBrowse
                        • 104.245.240.188
                        https://www.google.com/url?q=https%3A%2F%2Fpoizonus.com%2Fsu&sa=D&sntz=1&usg=AOvVaw1vivNuhukc7YPqnTjOKT1g&af6pbi8nqbgwu55cw518lklmc8rlvoy3529npBRmIAzUEe9djvzki8kdrm19expwx==fFx66xNbaFwp2wAuYMKsTBscURqb78mwqYpIp~JQ~1pwu5ro8b7dregga8ni8pcjy70e8jw2c#~JQ~p0FmCojG8ZOE3336PK8YJ7SAxYr==X2K3pHjUpcsHSSJsm15nFJNZBrB3eBocYRdGet hashmaliciousHTMLPhisherBrowse
                        • 104.245.240.188
                        XTN1VzRJZm.exeGet hashmaliciousUnknownBrowse
                        • 204.44.192.90
                        XTN1VzRJZm.exeGet hashmaliciousUnknownBrowse
                        • 204.44.192.90

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_x20U0QJMVC.exe_a8bf46e08639da4f7c63c1f839d16de3332aa90_550c02e4_f16f6cd4-24eb-4739-a337-9cba7094d6d3\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):1.2581226102068819
                        Encrypted:false
                        SSDEEP:192:nnc9W/3B700BU/qa67PPjqb0zuiF6Z24IO8L:c9GBDBU/qa+zqIzuiF6Y4IO8L
                        MD5:F78D8F5E8E970778E1E61A92ED27C0C1
                        SHA1:FD943FA0CB6579F2F9B4D6C01AA8DF6BC13EDBB6
                        SHA-256:FB2F26475D40E2701203335DDE9BEE50C10DBEF82427AB0D418DDC2809FD7CDE
                        SHA-512:FE78C54E7202684497D629062D9B78B7FA2C450595DC6E8019EE31885276608FA15002ADD94926215763E55C383E07FA4F6D63DCE9B23B02481FCDF8943B9FD8
                        Malicious:true
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.2.5.9.4.2.9.6.8.4.2.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.2.5.9.4.3.6.8.7.1.8.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.6.f.6.c.d.4.-.2.4.e.b.-.4.7.3.9.-.a.3.3.7.-.9.c.b.a.7.0.9.4.d.6.d.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.e.9.8.1.8.3.-.6.f.b.8.-.4.1.9.6.-.a.c.2.4.-.c.d.2.6.e.4.d.e.3.4.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.2.0.U.0.Q.J.M.V.C...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.o.c.q.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.3.4.-.0.0.0.1.-.0.0.1.7.-.9.7.6.e.-.5.7.f.4.1.a.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.f.3.8.7.e.f.5.e.4.9.5.b.d.a.d.8.f.9.c.d.a.c.f.0.4.6.2.4.a.8.a.0.0.0.0.0.0.0.0.!.0.0.0.0.b.f.0.0.7.a.6.8.5.c.d.c.7.7.a.d.c.e.c.7.e.2.1.4.6.5.9.9.3.4.b.8.b.7.2.6.4.f.2.5.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4302.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Tue Mar 11 00:19:03 2025, 0x1205a4 type
                        Category:dropped
                        Size (bytes):376754
                        Entropy (8bit):3.379910189331285
                        Encrypted:false
                        SSDEEP:3072:+XMAlZicc4uEqDdmnLTgg9EnqxfLPhvF+CsyJ:+XdTc4Kd4TgGEqdLt0Csy
                        MD5:7633B8D062F27622B1D30BF82589CA85
                        SHA1:BF74DF3B897C049655F77FFF1D24C4B730103F83
                        SHA-256:F6107E086FF257AB9749FEE0832A18766213A75FED347419FC96BDE414F476E2
                        SHA-512:8FC825A7A2F44656150BD71734600B108405ACB0C6B9ADDDC035D107E4D4843CA01E28631F3E6B3BD866093AF1F7EF801F8E68AA8CE87FA8F998C1092F5F9114
                        Malicious:false
                        Reputation:low
                        Preview:MDMP..a..... .......w..g........................t#..........$...|.......$)...x..........`.......8...........T............M...q.......................0..............................................................................eJ......$1......GenuineIntel............T.......4......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER44F7.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):6396
                        Entropy (8bit):3.722922585132508
                        Encrypted:false
                        SSDEEP:96:RSIU6o7wVetbOjE6nrkYZeQE/ogW5aM4UZ89bvGpsfWelm:R6l7wVeJOjE6noYZeiprZ89bvGsfWelm
                        MD5:6EC767C0B4902BAC05C6F21E2995B5CA
                        SHA1:2458817925CF2B4075B051B712A45563B929A811
                        SHA-256:EFE44E277893F8B7C15EE64BAFFF743D90641308F5219F7D60661B0B4C810A4B
                        SHA-512:70C6DD2A9047915CFEEE0EF71875136F68FB6969636228D40D46E03795F606F442B5535D18E1EB41B41754CB95455A864BF342E4DA0AEBB01DFADAE4D211E1E0
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.3.2.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4536.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4737
                        Entropy (8bit):4.480727584004713
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zsZmJg77aI9uBWpW8VYmYm8M4J8kF7F+q8v+C1a/+8UPVd:uIjfeI7sQ7V+JFFKjg/RUPVd
                        MD5:09A8697246A5D6E2F98819A6936831B7
                        SHA1:7341AEC55CFFA8966D4302235332B06F37BE5A51
                        SHA-256:17FE8B0FBC659AF282CE2231E0343811CB3E753544284CC8C0FB321E2E38B0FD
                        SHA-512:476D9D4E5678F22175C637D75100F9721F70520611661191662DDF06A722FCCC716F114514F3DCC767A342BE2C2D37A68D59EF087FDCE67314FF0BE24D4BF882
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="755481" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x20U0QJMVC.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\x20U0QJMVC.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                        MD5:E193AFF55D4BDD9951CB4287A7D79653
                        SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                        SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                        SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                        C:\Users\user\AppData\Roaming\MicroSoftEdge.exe

                        Download File
                        Process:C:\Users\user\Desktop\x20U0QJMVC.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):651776
                        Entropy (8bit):7.583560360234804
                        Encrypted:false
                        SSDEEP:12288:5fcXgNO7W7X28o3knVj0pZnON0zFbfvDm/RAGCP0I+m4SW:ZSWOS6z+Iyqzm/SHP0I+m4n
                        MD5:37EF4F24015C203F1F703E634AB7ABE3
                        SHA1:BF007A685CDC77ADCEC7E214659934B8B7264F25
                        SHA-256:21B3CE427475B47076786585D7041284D6904B77CC3FE4ED9BB0C58F2B98F326
                        SHA-512:9FF7DEB7B9AD9C994A5C0243A1339B558E065B4FCE83882EC02932B6E734E7B49D4541215D7DCF40558FD25486EDEDEAA78A945C335DE0E3AF95C146506E14E9
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 75%
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.g..............0......X........... ........@.. .......................@............`.................................R...O.......LT................... .......c..T............................................ ............... ..H............text........ ...................... ..`.rsrc...LT.......V..................@..@.reloc....... ......................@..B........................H........................................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..{....*...}.....{....%-.&*.r...ps....o ...*b.(!....(.....(....(....*z.,..{....,..{....o".....(#...*..s$...}......(%.... ... ....s&...('....r...po(...*.~....*.......*.~....*.......*.~....*...0..A.............~....o)....+...(*.....o.....o......(+...-...........o"....*...........!2.......0..@.......

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftEdge.lnk

                        Download File
                        Process:C:\Users\user\Desktop\x20U0QJMVC.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Mar 10 23:17:24 2025, mtime=Mon Mar 10 23:17:24 2025, atime=Mon Mar 10 23:17:24 2025, length=651776, window=hide
                        Category:dropped
                        Size (bytes):795
                        Entropy (8bit):5.080296297820988
                        Encrypted:false
                        SSDEEP:12:8gdlQ4uSYChalZY//WYJLXotkgHlNm05jA3ANHShW0XVDVVmV:8uMzS/FXo5rAJh9tm
                        MD5:AE7DD591B5E25B63F93EBE719EB86633
                        SHA1:68666C3E3B862A1CEB53C3AF5B288EEB481B0CC5
                        SHA-256:A2D512C71EE546CF35E4DFD9254F97AFF25FABFAA9D4E358F28917229D06EC33
                        SHA-512:49F2336FE6BD2BEE96FEDF94B2D3D174AE0F0EB72064375ECF1ED2104EF727B486D3496DCB11829EE32EE1549D6FEF00D51D03A7BD50EEB04623889FEB926C8F
                        Malicious:false
                        Reputation:low
                        Preview:L..................F.... .....................................................:..DG..Yr?.D..U..k0.&...&.........5q...R1......\...........t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NkZ"............................c..A.p.p.D.a.t.a...B.V.1.....kZ$...Roaming.@......EW)NkZ$...........................W...R.o.a.m.i.n.g.....p.2.....kZ-. .MICROS~1.EXE..T......kZ-.kZ-..... .....................6'..M.i.c.r.o.S.o.f.t.E.d.g.e...e.x.e.......^...............-.......]............p,h.....C:\Users\user\AppData\Roaming\MicroSoftEdge.exe.. .....\.....\.....\.....\.....\.M.i.c.r.o.S.o.f.t.E.d.g.e...e.x.e.`.......X.......048707...........hT..CrF.f4... .z8%kZ..../...E...hT..CrF.f4... .z8%kZ..../...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.297750423953466
                        Encrypted:false
                        SSDEEP:6144:ceXfWRYkg7Di2vXoy00lWZgiWaaKxC4Iiwjf8XuYswOO/SP9M7HVm:LX/YCW2A4iwjE5OCSl6Hk
                        MD5:C6B9EFAA69E028B5DD4F054B92F05708
                        SHA1:EDE45ED2F795A74C8E979E9AA908F9E21C9A48EE
                        SHA-256:FC209C277DCE57C7810ECE40A3B9CB767752E3BC02E1DA10155C91758FFD8DF7
                        SHA-512:C432A2238ED959FC3D35301221484DC333B661F1239BE3863AA983BDDAAEA6DB2E4DF1632B8300CF592DB5B31912C833F1EBC9CDEC875751FEE752A3FFFD8A76
                        Malicious:false
                        Reputation:low
                        Preview:regfJ...J....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ+G.f.................................................................................................................................................................................................................................................................................................................................................S.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):4.221657708559567
                        Encrypted:false
                        SSDEEP:768:4MnaMbGDwwahXkuU427a6npy69NcIZ6n:4MnRnXTu
                        MD5:C10722CD9E432A9CB72CEF6595327847
                        SHA1:D343152EE17FA11F9CAF2DC68E671461590015D2
                        SHA-256:BBD9A42DCF573F8BFA17A4CD251DE5DE0721030E1BB0A5AF7960534A8C403F61
                        SHA-512:8D55F3041745186D9D22DDDFCDD2F1C9FF2047E6DC364B00CEA942FFAA80AB7A3BF0D2B3ECDD7DC34204D7AC5281C9DA82158335C21DF1BA588C37CE6010B31C
                        Malicious:false
                        Preview:regfI...I....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ+G.f.................................................................................................................................................................................................................................................................................................................................................S.HvLE.^......I....`......G....3.{..j#..................... ...............P......hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.583560360234804
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:x20U0QJMVC.exe
                        File size:651'776 bytes
                        MD5:37ef4f24015c203f1f703e634ab7abe3
                        SHA1:bf007a685cdc77adcec7e214659934b8b7264f25
                        SHA256:21b3ce427475b47076786585d7041284d6904b77cc3fe4ed9bb0c58f2b98f326
                        SHA512:9ff7deb7b9ad9c994a5c0243a1339b558e065b4fce83882ec02932b6e734e7b49d4541215d7dcf40558fd25486ededeaa78a945c335de0e3af95c146506e14e9
                        SSDEEP:12288:5fcXgNO7W7X28o3knVj0pZnON0zFbfvDm/RAGCP0I+m4SW:ZSWOS6z+Iyqzm/SHP0I+m4n
                        TLSH:5DD4F1681308CA17C79E4635C5E2E17547FD8CDAB542E39A9ADCBEEF7886F500D420A3
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D.g..............0......X........... ........@.. .......................@............`................................

                        File Icon

                        Icon Hash:5e0e1765330f0207

                        Static PE Info

                        General

                        Entrypoint:0x49b7a6
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x67BF44B1 [Wed Feb 26 16:43:29 2025 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b7520x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x544c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x963840x54.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x997ac0x99800f6f28ab1c6644be0068e8bd94a8ade59False0.8314650346091205data7.577913740302318IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x9c0000x544c0x5600b19d3f089c9d26eb804ddfca40f879c2False0.935047238372093data7.788132040137643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xa20000xc0x200acb1e1ac6d713995787c3382c1f750a6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x9c1000x4e11PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9905929447085314
                        RT_GROUP_ICON0xa0f240x14data1.05
                        RT_VERSION0xa0f480x304data0.42875647668393785
                        RT_MANIFEST0xa125c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        Comments
                        CompanyName
                        FileDescriptionMinimal
                        FileVersion1.0.0.0
                        InternalNameocql.exe
                        LegalCopyrightCopyright 2018
                        LegalTrademarks
                        OriginalFilenameocql.exe
                        ProductNameMinimal
                        ProductVersion1.0.0.0
                        Assembly Version1.0.0.0

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-03-11T01:17:38.518469+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.1049684104.245.240.1585901TCP
                        2025-03-11T01:18:06.095172+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:18.248409+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:18.248409+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:20.516809+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:20.518830+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104969294.156.227.1935901TCP
                        2025-03-11T01:18:34.971591+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:34.979031+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104969294.156.227.1935901TCP
                        2025-03-11T01:18:42.532648+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:42.550274+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104969294.156.227.1935901TCP
                        2025-03-11T01:18:48.253219+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:48.253219+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:56.954059+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes194.156.227.1935901192.168.2.1049692TCP
                        2025-03-11T01:18:56.960576+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.104969294.156.227.1935901TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Mar 11, 2025 01:17:26.296150923 CET496845901192.168.2.10104.245.240.158
                        Mar 11, 2025 01:17:26.301060915 CET590149684104.245.240.158192.168.2.10
                        Mar 11, 2025 01:17:26.301258087 CET496845901192.168.2.10104.245.240.158
                        Mar 11, 2025 01:17:26.389825106 CET496845901192.168.2.10104.245.240.158
                        Mar 11, 2025 01:17:26.394773006 CET590149684104.245.240.158192.168.2.10
                        Mar 11, 2025 01:17:38.518469095 CET496845901192.168.2.10104.245.240.158
                        Mar 11, 2025 01:17:38.523416042 CET590149684104.245.240.158192.168.2.10
                        Mar 11, 2025 01:17:47.673975945 CET590149684104.245.240.158192.168.2.10
                        Mar 11, 2025 01:17:47.674087048 CET496845901192.168.2.10104.245.240.158
                        Mar 11, 2025 01:17:51.382987976 CET496845901192.168.2.10104.245.240.158
                        Mar 11, 2025 01:17:51.387840986 CET590149684104.245.240.158192.168.2.10
                        Mar 11, 2025 01:17:51.404460907 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:17:51.409326077 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:17:51.409409046 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:17:51.444655895 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:17:51.449549913 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:05.851958036 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:05.856914043 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:06.095171928 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:06.139543056 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:06.144480944 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:18.248409033 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:18.289093018 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:20.273850918 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:20.278852940 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:20.516808987 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:20.518830061 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:20.523787022 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:34.695574999 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:34.700608015 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:34.971590996 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:34.979031086 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:34.983954906 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:42.289314032 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:42.294384003 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:42.532648087 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:42.550273895 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:42.555181026 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:48.253218889 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:48.304656029 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:56.711183071 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:56.716157913 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:56.954058886 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:18:56.960576057 CET496925901192.168.2.1094.156.227.193
                        Mar 11, 2025 01:18:56.965411901 CET59014969294.156.227.193192.168.2.10
                        Mar 11, 2025 01:19:16.626159906 CET496925901192.168.2.1094.156.227.193

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Mar 11, 2025 01:17:26.271219969 CET5668453192.168.2.101.1.1.1
                        Mar 11, 2025 01:17:26.288502932 CET53566841.1.1.1192.168.2.10
                        Mar 11, 2025 01:17:51.384367943 CET5055653192.168.2.101.1.1.1
                        Mar 11, 2025 01:17:51.403669119 CET53505561.1.1.1192.168.2.10

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 11, 2025 01:17:26.271219969 CET192.168.2.101.1.1.10x83b6Standard query (0)wqo9.firewall-gateway.deA (IP address)IN (0x0001)false
                        Mar 11, 2025 01:17:51.384367943 CET192.168.2.101.1.1.10x2ce0Standard query (0)doe.ydns.euA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 11, 2025 01:17:26.288502932 CET1.1.1.1192.168.2.100x83b6No error (0)wqo9.firewall-gateway.de104.245.240.158A (IP address)IN (0x0001)false
                        Mar 11, 2025 01:17:51.403669119 CET1.1.1.1192.168.2.100x2ce0No error (0)doe.ydns.eu94.156.227.193A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:20:17:13
                        Start date:10/03/2025
                        Path:C:\Users\user\Desktop\x20U0QJMVC.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\x20U0QJMVC.exe"
                        Imagebase:0x760000
                        File size:651'776 bytes
                        MD5 hash:37EF4F24015C203F1F703E634AB7ABE3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1114600439.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:4
                        Start time:20:17:20
                        Start date:10/03/2025
                        Path:C:\Users\user\Desktop\x20U0QJMVC.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\x20U0QJMVC.exe"
                        Imagebase:0xda0000
                        File size:651'776 bytes
                        MD5 hash:37EF4F24015C203F1F703E634AB7ABE3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2257147741.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:16
                        Start time:20:19:02
                        Start date:10/03/2025
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1984
                        Imagebase:0x9e0000
                        File size:483'680 bytes
                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >