Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:Client-built.exe
Analysis ID:1638452
MD5:0d68240c70bf064dd5ecc152403923a6
SHA1:96970027964b6b2fc32bccaa174b5c4a237ef5bf
SHA256:bc0521a3e491886f28389ee6c8c1e7b41aa2e46e847b6be8f495db6d1e767b19
Tags:exeuser-BastianHein
Infos:

Detection

Discord Rat
Score:84
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
.NET source code contains potential unpacker
Contains functionality to disable the Task Manager (.Net Source)
Joe Sandbox ML detected suspicious sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Client-built.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\Client-built.exe" MD5: 0D68240C70BF064DD5ECC152403923A6)
    • WerFault.exe (PID: 7780 cmdline: C:\Windows\system32\WerFault.exe -u -p 7440 -s 2308 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
{"Discord Token": "MTM0OTkxMzc0ODA5MzE0NTExOA.GkyAqM.FSoT85tOLmyVrzXDaepswRaWFE6zCpAd_DA9bw", "Server ID": "1349913101335531600"}
SourceRuleDescriptionAuthorStrings
Client-built.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1262491533.0000024881E52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordRatYara detected Discord RatJoe Security
      Process Memory Space: Client-built.exe PID: 7440JoeSecurity_DiscordRatYara detected Discord RatJoe Security
        SourceRuleDescriptionAuthorStrings
        0.0.Client-built.exe.24881e50000.0.unpackJoeSecurity_DiscordRatYara detected Discord RatJoe Security
          No Sigma rule has matched
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Client-built.exeAvira: detected
          Source: Client-built.exeMalware Configuration Extractor: Discord Rat {"Discord Token": "MTM0OTkxMzc0ODA5MzE0NTExOA.GkyAqM.FSoT85tOLmyVrzXDaepswRaWFE6zCpAd_DA9bw", "Server ID": "1349913101335531600"}
          Source: Client-built.exeVirustotal: Detection: 66%Perma Link
          Source: Client-built.exeReversingLabs: Detection: 73%
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.24881e50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1262491533.0000024881E52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7440, type: MEMORYSTR
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
          Source: unknownHTTPS traffic detected: 162.159.133.234:443 -> 192.168.2.6:49687 version: TLS 1.2
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Core.pdbPq source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbyUt source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Web.Extensions.pdbP source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\dll\System.pdbH source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb` source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdbp source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDBP[~ source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Web.Extensions.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp, WER4A33.tmp.dmp.8.dr
          Source: Binary string: Client-built.PDB source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\System.pdb8 source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: em.pdb3o source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb, source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdbH source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER4A33.tmp.dmp.8.dr
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: Nt8G6yftS1Xvt+fAXz9yCQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.133.234 162.159.133.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: Nt8G6yftS1Xvt+fAXz9yCQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 14 Mar 2025 10:58:03 GMTContent-Length: 0Connection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5R7leUwQvSw9s0ZGG4jwYu%2BFEHYOtOguplE96%2BlUq3HgCElGDWdeTzt6xwbmXSYOcPEwjV6K%2FpSbYtE7vzFYdrjqtwpa2wMeoD7gsI%2BD1BOAPe621EhZDboRfvMFD%2FQn7FbHmw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 920340f49a3a436f-EWR
          Source: Client-built.exe, 00000000.00000002.1672492130.0000024883D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.1672492130.0000024883CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
          Source: Client-built.exeString found in binary or memory: http://www.google.com/maps/place/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/channels/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: Client-built.exeString found in binary or memory: https://file.io/
          Source: Client-built.exe, 00000000.00000002.1672492130.0000024883D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.1672492130.0000024883D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: Client-built.exe, 00000000.00000002.1672492130.0000024883D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: Client-built.exe, 00000000.00000002.1672492130.0000024883CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: Client-built.exeString found in binary or memory: https://geolocation-db.com/json
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
          Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
          Source: unknownHTTPS traffic detected: 162.159.133.234:443 -> 192.168.2.6:49687 version: TLS 1.2

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.24881e50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1262491533.0000024881E52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7440, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E13FA0_2_00007FF88B4E13FA
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E12D10_2_00007FF88B4E12D1
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E12E00_2_00007FF88B4E12E0
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E13D30_2_00007FF88B4E13D3
          Source: C:\Users\user\Desktop\Client-built.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7440 -s 2308
          Source: Client-built.exeStatic PE information: No import functions for PE file found
          Source: Client-built.exe, 00000000.00000000.1262491533.0000024881E66000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Client-built.exe
          Source: Client-built.exeBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Client-built.exe
          Source: classification engineClassification label: mal84.troj.evad.winEXE@2/6@1/1
          Source: C:\Users\user\Desktop\Client-built.exeMutant created: NULL
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7440
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\af1416b4-5452-4fc9-85ca-6ff581d86330Jump to behavior
          Source: Client-built.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Client-built.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\Client-built.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Client-built.exeVirustotal: Detection: 66%
          Source: Client-built.exeReversingLabs: Detection: 73%
          Source: C:\Users\user\Desktop\Client-built.exeFile read: C:\Users\user\Desktop\Client-built.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Client-built.exe "C:\Users\user\Desktop\Client-built.exe"
          Source: C:\Users\user\Desktop\Client-built.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7440 -s 2308
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Client-built.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Client-built.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Core.pdbPq source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbyUt source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb% source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Web.Extensions.pdbP source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\dll\System.pdbH source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb` source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdbp source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDBP[~ source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Web.Extensions.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp, WER4A33.tmp.dmp.8.dr
          Source: Binary string: Client-built.PDB source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: \??\C:\Windows\System.pdb8 source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: em.pdb3o source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb, source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdbH source: Client-built.exe, 00000000.00000002.1672868027.000002489C796000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.1671827893.000000EAC9FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.1672868027.000002489C7CB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WER4A33.tmp.dmp.8.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER4A33.tmp.dmp.8.dr

          Data Obfuscation

          barindex
          Source: Client-built.exe, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
          Source: Client-built.exe, Program.cs.Net Code: password
          Source: Client-built.exe, Program.cs.Net Code: webcampic
          Source: Client-built.exe, Program.cs.Net Code: select_cam
          Source: Client-built.exe, Program.cs.Net Code: get_cams
          Source: Client-built.exe, Program.cs.Net Code: get_tokens
          Source: Client-built.exeStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E3FFD push ebx; retf 000Bh0_2_00007FF88B4E3FCA
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E00BD pushad ; iretd 0_2_00007FF88B4E00C1
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FF88B4E3F9D push ebx; retf 000Bh0_2_00007FF88B4E3FCA
          Source: C:\Users\user\Desktop\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 24882330000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 2489BCE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeWindow / User API: threadDelayed 427Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exe TID: 7544Thread sleep count: 427 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exe TID: 7536Thread sleep count: 69 > 30Jump to behavior
          Source: Amcache.hve.8.drBinary or memory string: VMware
          Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
          Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Client-built.exe, 00000000.00000002.1672096659.0000024882045000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Amcache.hve.8.drBinary or memory string: vmci.sys
          Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.8.drBinary or memory string: VMware20,1
          Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\Client-built.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Users\user\Desktop\Client-built.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: Client-built.exe, Program.cs.Net Code: DisableTaskManager
          Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.24881e50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1262491533.0000024881E52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7440, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.24881e50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1262491533.0000024881E52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7440, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading
          1
          Process Injection
          3
          Virtualization/Sandbox Evasion
          OS Credential Dumping1
          Query Registry
          Remote Services1
          Archive Collected Data
          11
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          11
          Disable or Modify Tools
          LSASS Memory21
          Security Software Discovery
          Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Process Injection
          Security Account Manager3
          Virtualization/Sandbox Evasion
          SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput Capture4
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing
          LSA Secrets12
          System Information Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.