Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sWr3wJ0SuB.exe

Overview

General Information

Sample name:sWr3wJ0SuB.exe
renamed because original name is a hash value
Original sample name:f065e2af7ca01958f8eaa8fd7403f7ce93b8c7d8e1f31871a0d03b7de66fa885.exe
Analysis ID:1632391
MD5:cd84b0327573196c299f2c8c4517616c
SHA1:6b801b2e7b80d60dc3e68da4ec97bfd2bb683e7e
SHA256:f065e2af7ca01958f8eaa8fd7403f7ce93b8c7d8e1f31871a0d03b7de66fa885
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sWr3wJ0SuB.exe (PID: 4152 cmdline: "C:\Users\user\Desktop\sWr3wJ0SuB.exe" MD5: CD84B0327573196C299F2C8C4517616C)
    • MSBuild.exe (PID: 6740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "black@hightechqa.com", "Password": "b6(A12UFEMab", "Server": "mail.hightechqa.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.sWr3wJ0SuB.exe.3841328.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.sWr3wJ0SuB.exe.3841328.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.sWr3wJ0SuB.exe.3841328.3.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.sWr3wJ0SuB.exe.3841328.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.sWr3wJ0SuB.exe.3841328.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd3df:$a1: get_encryptedPassword
                  • 0xd707:$a2: get_encryptedUsername
                  • 0xd17a:$a3: get_timePasswordChanged
                  • 0xd29b:$a4: get_passwordField
                  • 0xd3f5:$a5: set_encryptedPassword
                  • 0xed51:$a7: get_logins
                  • 0xea02:$a8: GetOutlookPasswords
                  • 0xe7f4:$a9: StartKeylogger
                  • 0xeca1:$a10: KeyLoggerEventArgs
                  • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 37 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 158.101.44.242, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 6740, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49685

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T23:13:25.451414+010028032742Potentially Bad Traffic192.168.2.649685158.101.44.24280TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: sWr3wJ0SuB.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "black@hightechqa.com", "Password": "b6(A12UFEMab", "Server": "mail.hightechqa.com"}
                  Multi AV Scanner detection for submitted file
                  Source: sWr3wJ0SuB.exeVirustotal: Detection: 75%Perma Link
                  Source: sWr3wJ0SuB.exeReversingLabs: Detection: 76%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: sWr3wJ0SuB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49686 version: TLS 1.0
                  Source: sWr3wJ0SuB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: yCsD.pdb source: sWr3wJ0SuB.exe
                  Source: Binary string: yCsD.pdbSHA256 source: sWr3wJ0SuB.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010A9731h2_2_010A9480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010A9E5Ah2_2_010A9A40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010A9E5Ah2_2_010A9A30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 010A9E5Ah2_2_010A9D87
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 057183D8h2_2_05718130
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 057147C9h2_2_05714520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05718830h2_2_05718588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0571F700h2_2_0571F458
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 057176D0h2_2_05717428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0571E9F8h2_2_0571E750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05715929h2_2_05715680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05717278h2_2_057171D6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0571F2A8h2_2_0571F000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 057154D1h2_2_05715228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0571E5A0h2_2_0571E2F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05715079h2_2_05714DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05717F80h2_2_05717CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05717278h2_2_05716FD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05714C21h2_2_05714978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0571FB58h2_2_0571F8B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05717B28h2_2_05717880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 0571EE50h2_2_0571EBA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then jmp 05715E15h2_2_05715AD8
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49685 -> 158.101.44.242:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49686 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                  Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: c.pki.goog
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: sWr3wJ0SuB.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C12000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_06E113C80_2_06E113C8
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0276D3E40_2_0276D3E4
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737E6F80_2_0737E6F8
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07376DA80_2_07376DA8
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737CD800_2_0737CD80
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07377CB80_2_07377CB8
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07375B880_2_07375B88
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07379F700_2_07379F70
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07379F800_2_07379F80
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737E6E90_2_0737E6E9
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737CD6F0_2_0737CD6F
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737A5500_2_0737A550
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737A5400_2_0737A540
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07376D980_2_07376D98
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737D4B00_2_0737D4B0
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07374CA80_2_07374CA8
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07374C990_2_07374C99
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737D4C00_2_0737D4C0
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737A3700_2_0737A370
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07375B790_2_07375B79
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07379B600_2_07379B60
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07379B500_2_07379B50
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07377BB70_2_07377BB7
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_073763A80_2_073763A8
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07378B900_2_07378B90
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_073763990_2_07376399
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07378B810_2_07378B81
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737A3800_2_0737A380
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737EBD00_2_0737EBD0
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737EBC00_2_0737EBC0
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737D2680_2_0737D268
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737D25A0_2_0737D25A
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737D0180_2_0737D018
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737E0180_2_0737E018
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737E00A0_2_0737E00A
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737D0080_2_0737D008
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737A0F00_2_0737A0F0
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_0737A0E10_2_0737A0E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_010AC5302_2_010AC530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_010A27B92_2_010A27B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_010A94802_2_010A9480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_010AC5212_2_010AC521
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_010A2DD12_2_010A2DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_010A946F2_2_010A946F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057181302_2_05718130
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057161382_2_05716138
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571BC602_2_0571BC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571AF002_2_0571AF00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057189E02_2_057189E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057185792_2_05718579
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057145202_2_05714520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571450F2_2_0571450F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057185882_2_05718588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571F4552_2_0571F455
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571F4582_2_0571F458
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057174282_2_05717428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057174182_2_05717418
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571E7502_2_0571E750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571E7402_2_0571E740
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057156732_2_05715673
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057156802_2_05715680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057161332_2_05716133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057181202_2_05718120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571F0002_2_0571F000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057103302_2_05710330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057103202_2_05710320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057113A82_2_057113A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057152282_2_05715228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571521B2_2_0571521B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571E2F52_2_0571E2F5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571E2F82_2_0571E2F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05714DD02_2_05714DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05714DC02_2_05714DC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05710CD82_2_05710CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05717CD82_2_05717CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05717CC82_2_05717CC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571EFFD2_2_0571EFFD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05716FD02_2_05716FD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05716FC12_2_05716FC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05716FC32_2_05716FC3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057149782_2_05714978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057149692_2_05714969
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057178712_2_05717871
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571F8B02_2_0571F8B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571F8A12_2_0571F8A1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_057178802_2_05717880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571EBA82_2_0571EBA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_0571EB982_2_0571EB98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05715AD82_2_05715AD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05715ACB2_2_05715ACB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05710AB82_2_05710AB8
                  Source: sWr3wJ0SuB.exeBinary or memory string: OriginalFilename vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1228383821.00000000029C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1231857357.0000000006DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1227123370.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exe, 00000000.00000000.1217436184.0000000000430000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyCsD.exeB vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exe, 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exeBinary or memory string: OriginalFilenameyCsD.exeB vs sWr3wJ0SuB.exe
                  Source: sWr3wJ0SuB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: sWr3wJ0SuB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, x9mhRkBCN6LqkMg2IH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, x9mhRkBCN6LqkMg2IH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, x9mhRkBCN6LqkMg2IH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, x9mhRkBCN6LqkMg2IH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, e85cWN7KcAIPBZ0UIq.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, x9mhRkBCN6LqkMg2IH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, x9mhRkBCN6LqkMg2IH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sWr3wJ0SuB.exe.logJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: sWr3wJ0SuB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: sWr3wJ0SuB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: MSBuild.exe, 00000002.00000002.2480336213.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2480336213.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2480336213.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2480336213.0000000002CA6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2481313611.0000000003BBD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2480336213.0000000002C83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: sWr3wJ0SuB.exeVirustotal: Detection: 75%
                  Source: sWr3wJ0SuB.exeReversingLabs: Detection: 76%
                  Source: unknownProcess created: C:\Users\user\Desktop\sWr3wJ0SuB.exe "C:\Users\user\Desktop\sWr3wJ0SuB.exe"
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: sWr3wJ0SuB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: sWr3wJ0SuB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: sWr3wJ0SuB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: yCsD.pdb source: sWr3wJ0SuB.exe
                  Source: Binary string: yCsD.pdbSHA256 source: sWr3wJ0SuB.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, e85cWN7KcAIPBZ0UIq.cs.Net Code: SPFJx9Ztjd System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, e85cWN7KcAIPBZ0UIq.cs.Net Code: SPFJx9Ztjd System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, e85cWN7KcAIPBZ0UIq.cs.Net Code: SPFJx9Ztjd System.Reflection.Assembly.Load(byte[])
                  Source: sWr3wJ0SuB.exeStatic PE information: 0xE0B2D088 [Fri Jun 17 02:52:56 2089 UTC]
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeCode function: 0_2_07377750 push cs; ret 0_2_07377751
                  Source: sWr3wJ0SuB.exeStatic PE information: section name: .text entropy: 7.648524929337228
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, oDLRGEy24M1UXLOxru.csHigh entropy of concatenated method names: 's2i5BNhwwT', 'JQh56ABCp6', 'AWa5rO9S80', 'FTg5QeBdkk', 'QuU5LByZv1', 'nHK5UUTLf5', 'df65vkheeP', 'N1k5VNMHFs', 'rkM5FkuIoJ', 'lcI5ocJUfH'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, e85cWN7KcAIPBZ0UIq.csHigh entropy of concatenated method names: 'CUdbwmjArC', 'r93bfamlAq', 'RBqbW8jvhX', 'YKnbkJKYsf', 'NEubulAsvi', 'sLebixQKC2', 'CABbcy66s1', 'gpGb77yBZi', 'k67b2JeoSi', 'EH5b9NS9Ze'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, VyY2rjvcByZ9kFk4et.csHigh entropy of concatenated method names: 'voFcfjvooV', 'XGnckT4hPJ', 'Omfci63BNB', 'lKNidZ1Mdo', 'KAMizOMwOB', 'V22cTcPWb1', 'bjTcSKcapM', 'eHbcGl3Ffd', 'ie4cbD1Jjs', 'cp0cJMsxXP'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, efDWtZG2cAW2bAQ3GR.csHigh entropy of concatenated method names: 'wlSxW13i7', 'pVxPlJ4aH', 'SA8DGOxwT', 'T1f1UTeoc', 'sUw6ElNcU', 'APBmQ31L4', 'XTmaRMyKssKxQFuLjA', 'AL83ltXAIiEhs3PBkh', 'TArXTUDYY', 'jR3Aw1w8T'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, x0VUmQSTU64hwZHavMD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vFxAoQggUo', 'RFpAppQroC', 'XJ3Ayoog6B', 'yJeAaHOvcD', 'eIiAMlcCT4', 'XptAZcJyLn', 'ou1Aq2HaBR'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, FUBWi8dohR3SnqLZED.csHigh entropy of concatenated method names: 'cQ4AkGUmnB', 'VuNAugeCoq', 'vkDAiJfMlQ', 'S4NAcBqx4v', 'K0UA32SYpU', 'tluA7gNZ4b', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, uFdtLsnswTL7ohVdPD.csHigh entropy of concatenated method names: 'YS204kivkq', 'rNy0dcL11B', 'egqXTtIfO1', 'TfUXSuXX2b', 'lGM0ogMQAY', 'eGk0pdRWts', 'vq00yHDxUU', 'PFJ0aBAx0F', 'qWi0M155Ht', 'Mca0ZC1m6R'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, nuXEPsaVZ0CsXd7mAn.csHigh entropy of concatenated method names: 'k57CFgAWId', 'zg1Cpylfqv', 'peoCaghRJt', 'JTRCMPdRWM', 'foPCQMK5Ga', 'Ec8CRp1mx9', 'nIhCLTXyBN', 'Li6CUYRuPU', 'XYZCEalQZD', 'Up7CvlBJwJ'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, qRQ6AH69bLLUK6AoOk.csHigh entropy of concatenated method names: 'hWOkPWbYAY', 'HMZkD97HfC', 'Ic4kBndiAj', 'Kq5k6stIaQ', 'YaKkCDlGTm', 'vBMks64AXi', 'LI1k0A0pJo', 'gcakX6ld63', 'A70k3ALdU8', 'TrxkAPEK0p'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, cYuC5fmbE0crCOh539.csHigh entropy of concatenated method names: 'KdZutuumY8', 'HeYu13UI37', 'NGbkRxhJB9', 'TWnkLbYtde', 'HkqkUwnqjU', 'mldkELFLjK', 'biVkvuf9gc', 'eTJkV5WRNl', 'H2Gklv2ZkM', 'A2akFt7l2q'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, BcasXwrwFjAyPXyVlF.csHigh entropy of concatenated method names: 'x3jiwdtErV', 'U0jiWJbeGf', 'n9tiupZrkU', 'awCicNbSJH', 'a2Pi7uCgUh', 'jbluINc03t', 'qFrundjMbT', 'vPFuHCAJb0', 'wLtu4L30ar', 'rtDuY6vqMR'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, jDPqPlzYcsDKbn6IC6.csHigh entropy of concatenated method names: 'XAgADVpO9B', 'KNoABN5rdl', 'C3cA6gAsVQ', 'bbAArAHOjV', 'LyhAQvvfwk', 'WFIALNL0AV', 'puMAUh398I', 'ePYAjjukjg', 'SbdANtQayD', 'mRLAe8Vwh0'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, aLNwGLZqZNiHQ1CuYS.csHigh entropy of concatenated method names: 'ToString', 'hP8soIfyfZ', 'kSvsQiqXlS', 'JyDsROBX5D', 'apWsL1x13E', 'tnmsUEIEYC', 'H2hsEfo7C6', 'gZCsv6XVYB', 'M1jsVuk5xp', 'oocsl6P7mk'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, duqZKWYTXpBkB6q7Hi.csHigh entropy of concatenated method names: 'wSw3r3HUru', 'ku73QZ3rm9', 'uQU3R1HoM3', 'WEP3LIZoJH', 'eSO3U3PCib', 'jsr3E8H7Th', 'aYe3vidHBE', 'rf13VluDO1', 'OPd3lCSrsv', 'rZx3Fb8lZG'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, FDfeaDWkj6uwr853fB.csHigh entropy of concatenated method names: 'Dispose', 'm1vSYVQV7y', 'HvZGQ5u1YK', 'qAtCTnFTTZ', 'mtmSdBvvOs', 'BtaSzYdypV', 'ProcessDialogKey', 'o8JGTuqZKW', 'aXpGSBkB6q', 'kHiGGmUBWi'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, RaDpFAleFdsHB4dTjP.csHigh entropy of concatenated method names: 'DW6cNoiRpn', 'e4xceESoTS', 'B7qcx2uuuR', 'TjjcPmq4uM', 't5nctNdouI', 'NhjcDInJcy', 'J5Xc1OhA6x', 'JZYcBVOyZV', 'KaXc68wI8C', 'cgncmfcBn2'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, pbPxoRJcN8LGtJUGqT.csHigh entropy of concatenated method names: 'eEjSc9mhRk', 'oN6S7LqkMg', 'V9bS9LLUK6', 'soOS8kGYuC', 'vh5SC39Dca', 'pXwSswFjAy', 'zLc9lKKBn5ln8N6uZ9', 'UJpAdLrlyNhCIJFpxL', 'SlTSS7062c', 'v0KSbvpDIZ'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, x9mhRkBCN6LqkMg2IH.csHigh entropy of concatenated method names: 'se4WaGTqWP', 'fDyWMSLm90', 'ggiWZLbqi5', 'VabWq0XaJe', 'P7MWIyLOay', 'I3XWnXDswg', 'g7yWHvSkaB', 'AL1W4osox5', 'JEMWYWAbWk', 'YrHWd131vu'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, a86HajSSwZRC0t7eihu.csHigh entropy of concatenated method names: 'qREAdLTnSp', 'yf3Azw2Ce0', 'qjRgT3a6Rn', 'gdugS9WgBl', 'dNYgGrprdx', 'vKUgbHyLrr', 'hICgJKHcX2', 'T2OgwjYl1c', 'b7PgfNNbej', 'BWMgWxU7s2'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, xRbZioHoE81vVQV7y9.csHigh entropy of concatenated method names: 'Isv3CMTiVr', 'J4L30LH3Z7', 'seY33SVQrL', 'mgq3gdc0sm', 'mEU3ORmEdp', 'qSO3jZJJk7', 'Dispose', 'DCZXfydHkI', 'NNWXWbI3ce', 'jgVXkN90K4'
                  Source: 0.2.sWr3wJ0SuB.exe.6db0000.5.raw.unpack, eGGJWLktYjl8yayLnH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RqyGYgAia1', 'JWjGd5p68j', 'KdkGzMUGJb', 'k1GbTLtb4j', 'uDibSNNveZ', 'YNebGOfTcH', 'OKQbb2xkBC', 'Y2D0vSbIy0KQWCMdLhV'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, oDLRGEy24M1UXLOxru.csHigh entropy of concatenated method names: 's2i5BNhwwT', 'JQh56ABCp6', 'AWa5rO9S80', 'FTg5QeBdkk', 'QuU5LByZv1', 'nHK5UUTLf5', 'df65vkheeP', 'N1k5VNMHFs', 'rkM5FkuIoJ', 'lcI5ocJUfH'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, e85cWN7KcAIPBZ0UIq.csHigh entropy of concatenated method names: 'CUdbwmjArC', 'r93bfamlAq', 'RBqbW8jvhX', 'YKnbkJKYsf', 'NEubulAsvi', 'sLebixQKC2', 'CABbcy66s1', 'gpGb77yBZi', 'k67b2JeoSi', 'EH5b9NS9Ze'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, VyY2rjvcByZ9kFk4et.csHigh entropy of concatenated method names: 'voFcfjvooV', 'XGnckT4hPJ', 'Omfci63BNB', 'lKNidZ1Mdo', 'KAMizOMwOB', 'V22cTcPWb1', 'bjTcSKcapM', 'eHbcGl3Ffd', 'ie4cbD1Jjs', 'cp0cJMsxXP'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, efDWtZG2cAW2bAQ3GR.csHigh entropy of concatenated method names: 'wlSxW13i7', 'pVxPlJ4aH', 'SA8DGOxwT', 'T1f1UTeoc', 'sUw6ElNcU', 'APBmQ31L4', 'XTmaRMyKssKxQFuLjA', 'AL83ltXAIiEhs3PBkh', 'TArXTUDYY', 'jR3Aw1w8T'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, x0VUmQSTU64hwZHavMD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vFxAoQggUo', 'RFpAppQroC', 'XJ3Ayoog6B', 'yJeAaHOvcD', 'eIiAMlcCT4', 'XptAZcJyLn', 'ou1Aq2HaBR'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, FUBWi8dohR3SnqLZED.csHigh entropy of concatenated method names: 'cQ4AkGUmnB', 'VuNAugeCoq', 'vkDAiJfMlQ', 'S4NAcBqx4v', 'K0UA32SYpU', 'tluA7gNZ4b', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, uFdtLsnswTL7ohVdPD.csHigh entropy of concatenated method names: 'YS204kivkq', 'rNy0dcL11B', 'egqXTtIfO1', 'TfUXSuXX2b', 'lGM0ogMQAY', 'eGk0pdRWts', 'vq00yHDxUU', 'PFJ0aBAx0F', 'qWi0M155Ht', 'Mca0ZC1m6R'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, nuXEPsaVZ0CsXd7mAn.csHigh entropy of concatenated method names: 'k57CFgAWId', 'zg1Cpylfqv', 'peoCaghRJt', 'JTRCMPdRWM', 'foPCQMK5Ga', 'Ec8CRp1mx9', 'nIhCLTXyBN', 'Li6CUYRuPU', 'XYZCEalQZD', 'Up7CvlBJwJ'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, qRQ6AH69bLLUK6AoOk.csHigh entropy of concatenated method names: 'hWOkPWbYAY', 'HMZkD97HfC', 'Ic4kBndiAj', 'Kq5k6stIaQ', 'YaKkCDlGTm', 'vBMks64AXi', 'LI1k0A0pJo', 'gcakX6ld63', 'A70k3ALdU8', 'TrxkAPEK0p'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, cYuC5fmbE0crCOh539.csHigh entropy of concatenated method names: 'KdZutuumY8', 'HeYu13UI37', 'NGbkRxhJB9', 'TWnkLbYtde', 'HkqkUwnqjU', 'mldkELFLjK', 'biVkvuf9gc', 'eTJkV5WRNl', 'H2Gklv2ZkM', 'A2akFt7l2q'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, BcasXwrwFjAyPXyVlF.csHigh entropy of concatenated method names: 'x3jiwdtErV', 'U0jiWJbeGf', 'n9tiupZrkU', 'awCicNbSJH', 'a2Pi7uCgUh', 'jbluINc03t', 'qFrundjMbT', 'vPFuHCAJb0', 'wLtu4L30ar', 'rtDuY6vqMR'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, jDPqPlzYcsDKbn6IC6.csHigh entropy of concatenated method names: 'XAgADVpO9B', 'KNoABN5rdl', 'C3cA6gAsVQ', 'bbAArAHOjV', 'LyhAQvvfwk', 'WFIALNL0AV', 'puMAUh398I', 'ePYAjjukjg', 'SbdANtQayD', 'mRLAe8Vwh0'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, aLNwGLZqZNiHQ1CuYS.csHigh entropy of concatenated method names: 'ToString', 'hP8soIfyfZ', 'kSvsQiqXlS', 'JyDsROBX5D', 'apWsL1x13E', 'tnmsUEIEYC', 'H2hsEfo7C6', 'gZCsv6XVYB', 'M1jsVuk5xp', 'oocsl6P7mk'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, duqZKWYTXpBkB6q7Hi.csHigh entropy of concatenated method names: 'wSw3r3HUru', 'ku73QZ3rm9', 'uQU3R1HoM3', 'WEP3LIZoJH', 'eSO3U3PCib', 'jsr3E8H7Th', 'aYe3vidHBE', 'rf13VluDO1', 'OPd3lCSrsv', 'rZx3Fb8lZG'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, FDfeaDWkj6uwr853fB.csHigh entropy of concatenated method names: 'Dispose', 'm1vSYVQV7y', 'HvZGQ5u1YK', 'qAtCTnFTTZ', 'mtmSdBvvOs', 'BtaSzYdypV', 'ProcessDialogKey', 'o8JGTuqZKW', 'aXpGSBkB6q', 'kHiGGmUBWi'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, RaDpFAleFdsHB4dTjP.csHigh entropy of concatenated method names: 'DW6cNoiRpn', 'e4xceESoTS', 'B7qcx2uuuR', 'TjjcPmq4uM', 't5nctNdouI', 'NhjcDInJcy', 'J5Xc1OhA6x', 'JZYcBVOyZV', 'KaXc68wI8C', 'cgncmfcBn2'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, pbPxoRJcN8LGtJUGqT.csHigh entropy of concatenated method names: 'eEjSc9mhRk', 'oN6S7LqkMg', 'V9bS9LLUK6', 'soOS8kGYuC', 'vh5SC39Dca', 'pXwSswFjAy', 'zLc9lKKBn5ln8N6uZ9', 'UJpAdLrlyNhCIJFpxL', 'SlTSS7062c', 'v0KSbvpDIZ'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, x9mhRkBCN6LqkMg2IH.csHigh entropy of concatenated method names: 'se4WaGTqWP', 'fDyWMSLm90', 'ggiWZLbqi5', 'VabWq0XaJe', 'P7MWIyLOay', 'I3XWnXDswg', 'g7yWHvSkaB', 'AL1W4osox5', 'JEMWYWAbWk', 'YrHWd131vu'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, a86HajSSwZRC0t7eihu.csHigh entropy of concatenated method names: 'qREAdLTnSp', 'yf3Azw2Ce0', 'qjRgT3a6Rn', 'gdugS9WgBl', 'dNYgGrprdx', 'vKUgbHyLrr', 'hICgJKHcX2', 'T2OgwjYl1c', 'b7PgfNNbej', 'BWMgWxU7s2'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, xRbZioHoE81vVQV7y9.csHigh entropy of concatenated method names: 'Isv3CMTiVr', 'J4L30LH3Z7', 'seY33SVQrL', 'mgq3gdc0sm', 'mEU3ORmEdp', 'qSO3jZJJk7', 'Dispose', 'DCZXfydHkI', 'NNWXWbI3ce', 'jgVXkN90K4'
                  Source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, eGGJWLktYjl8yayLnH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RqyGYgAia1', 'JWjGd5p68j', 'KdkGzMUGJb', 'k1GbTLtb4j', 'uDibSNNveZ', 'YNebGOfTcH', 'OKQbb2xkBC', 'Y2D0vSbIy0KQWCMdLhV'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, oDLRGEy24M1UXLOxru.csHigh entropy of concatenated method names: 's2i5BNhwwT', 'JQh56ABCp6', 'AWa5rO9S80', 'FTg5QeBdkk', 'QuU5LByZv1', 'nHK5UUTLf5', 'df65vkheeP', 'N1k5VNMHFs', 'rkM5FkuIoJ', 'lcI5ocJUfH'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, e85cWN7KcAIPBZ0UIq.csHigh entropy of concatenated method names: 'CUdbwmjArC', 'r93bfamlAq', 'RBqbW8jvhX', 'YKnbkJKYsf', 'NEubulAsvi', 'sLebixQKC2', 'CABbcy66s1', 'gpGb77yBZi', 'k67b2JeoSi', 'EH5b9NS9Ze'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, VyY2rjvcByZ9kFk4et.csHigh entropy of concatenated method names: 'voFcfjvooV', 'XGnckT4hPJ', 'Omfci63BNB', 'lKNidZ1Mdo', 'KAMizOMwOB', 'V22cTcPWb1', 'bjTcSKcapM', 'eHbcGl3Ffd', 'ie4cbD1Jjs', 'cp0cJMsxXP'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, efDWtZG2cAW2bAQ3GR.csHigh entropy of concatenated method names: 'wlSxW13i7', 'pVxPlJ4aH', 'SA8DGOxwT', 'T1f1UTeoc', 'sUw6ElNcU', 'APBmQ31L4', 'XTmaRMyKssKxQFuLjA', 'AL83ltXAIiEhs3PBkh', 'TArXTUDYY', 'jR3Aw1w8T'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, x0VUmQSTU64hwZHavMD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vFxAoQggUo', 'RFpAppQroC', 'XJ3Ayoog6B', 'yJeAaHOvcD', 'eIiAMlcCT4', 'XptAZcJyLn', 'ou1Aq2HaBR'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, FUBWi8dohR3SnqLZED.csHigh entropy of concatenated method names: 'cQ4AkGUmnB', 'VuNAugeCoq', 'vkDAiJfMlQ', 'S4NAcBqx4v', 'K0UA32SYpU', 'tluA7gNZ4b', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, uFdtLsnswTL7ohVdPD.csHigh entropy of concatenated method names: 'YS204kivkq', 'rNy0dcL11B', 'egqXTtIfO1', 'TfUXSuXX2b', 'lGM0ogMQAY', 'eGk0pdRWts', 'vq00yHDxUU', 'PFJ0aBAx0F', 'qWi0M155Ht', 'Mca0ZC1m6R'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, nuXEPsaVZ0CsXd7mAn.csHigh entropy of concatenated method names: 'k57CFgAWId', 'zg1Cpylfqv', 'peoCaghRJt', 'JTRCMPdRWM', 'foPCQMK5Ga', 'Ec8CRp1mx9', 'nIhCLTXyBN', 'Li6CUYRuPU', 'XYZCEalQZD', 'Up7CvlBJwJ'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, qRQ6AH69bLLUK6AoOk.csHigh entropy of concatenated method names: 'hWOkPWbYAY', 'HMZkD97HfC', 'Ic4kBndiAj', 'Kq5k6stIaQ', 'YaKkCDlGTm', 'vBMks64AXi', 'LI1k0A0pJo', 'gcakX6ld63', 'A70k3ALdU8', 'TrxkAPEK0p'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, cYuC5fmbE0crCOh539.csHigh entropy of concatenated method names: 'KdZutuumY8', 'HeYu13UI37', 'NGbkRxhJB9', 'TWnkLbYtde', 'HkqkUwnqjU', 'mldkELFLjK', 'biVkvuf9gc', 'eTJkV5WRNl', 'H2Gklv2ZkM', 'A2akFt7l2q'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, BcasXwrwFjAyPXyVlF.csHigh entropy of concatenated method names: 'x3jiwdtErV', 'U0jiWJbeGf', 'n9tiupZrkU', 'awCicNbSJH', 'a2Pi7uCgUh', 'jbluINc03t', 'qFrundjMbT', 'vPFuHCAJb0', 'wLtu4L30ar', 'rtDuY6vqMR'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, jDPqPlzYcsDKbn6IC6.csHigh entropy of concatenated method names: 'XAgADVpO9B', 'KNoABN5rdl', 'C3cA6gAsVQ', 'bbAArAHOjV', 'LyhAQvvfwk', 'WFIALNL0AV', 'puMAUh398I', 'ePYAjjukjg', 'SbdANtQayD', 'mRLAe8Vwh0'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, aLNwGLZqZNiHQ1CuYS.csHigh entropy of concatenated method names: 'ToString', 'hP8soIfyfZ', 'kSvsQiqXlS', 'JyDsROBX5D', 'apWsL1x13E', 'tnmsUEIEYC', 'H2hsEfo7C6', 'gZCsv6XVYB', 'M1jsVuk5xp', 'oocsl6P7mk'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, duqZKWYTXpBkB6q7Hi.csHigh entropy of concatenated method names: 'wSw3r3HUru', 'ku73QZ3rm9', 'uQU3R1HoM3', 'WEP3LIZoJH', 'eSO3U3PCib', 'jsr3E8H7Th', 'aYe3vidHBE', 'rf13VluDO1', 'OPd3lCSrsv', 'rZx3Fb8lZG'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, FDfeaDWkj6uwr853fB.csHigh entropy of concatenated method names: 'Dispose', 'm1vSYVQV7y', 'HvZGQ5u1YK', 'qAtCTnFTTZ', 'mtmSdBvvOs', 'BtaSzYdypV', 'ProcessDialogKey', 'o8JGTuqZKW', 'aXpGSBkB6q', 'kHiGGmUBWi'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, RaDpFAleFdsHB4dTjP.csHigh entropy of concatenated method names: 'DW6cNoiRpn', 'e4xceESoTS', 'B7qcx2uuuR', 'TjjcPmq4uM', 't5nctNdouI', 'NhjcDInJcy', 'J5Xc1OhA6x', 'JZYcBVOyZV', 'KaXc68wI8C', 'cgncmfcBn2'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, pbPxoRJcN8LGtJUGqT.csHigh entropy of concatenated method names: 'eEjSc9mhRk', 'oN6S7LqkMg', 'V9bS9LLUK6', 'soOS8kGYuC', 'vh5SC39Dca', 'pXwSswFjAy', 'zLc9lKKBn5ln8N6uZ9', 'UJpAdLrlyNhCIJFpxL', 'SlTSS7062c', 'v0KSbvpDIZ'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, x9mhRkBCN6LqkMg2IH.csHigh entropy of concatenated method names: 'se4WaGTqWP', 'fDyWMSLm90', 'ggiWZLbqi5', 'VabWq0XaJe', 'P7MWIyLOay', 'I3XWnXDswg', 'g7yWHvSkaB', 'AL1W4osox5', 'JEMWYWAbWk', 'YrHWd131vu'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, a86HajSSwZRC0t7eihu.csHigh entropy of concatenated method names: 'qREAdLTnSp', 'yf3Azw2Ce0', 'qjRgT3a6Rn', 'gdugS9WgBl', 'dNYgGrprdx', 'vKUgbHyLrr', 'hICgJKHcX2', 'T2OgwjYl1c', 'b7PgfNNbej', 'BWMgWxU7s2'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, xRbZioHoE81vVQV7y9.csHigh entropy of concatenated method names: 'Isv3CMTiVr', 'J4L30LH3Z7', 'seY33SVQrL', 'mgq3gdc0sm', 'mEU3ORmEdp', 'qSO3jZJJk7', 'Dispose', 'DCZXfydHkI', 'NNWXWbI3ce', 'jgVXkN90K4'
                  Source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, eGGJWLktYjl8yayLnH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RqyGYgAia1', 'JWjGd5p68j', 'KdkGzMUGJb', 'k1GbTLtb4j', 'uDibSNNveZ', 'YNebGOfTcH', 'OKQbb2xkBC', 'Y2D0vSbIy0KQWCMdLhV'
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: 8A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: 9A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: 9C60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: AC60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: B170000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: C170000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: D170000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exe TID: 3640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: MSBuild.exe, 00000002.00000002.2478875319.0000000000D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41A000Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41C000Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BB9008Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeQueries volume information: C:\Users\user\Desktop\sWr3wJ0SuB.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sWr3wJ0SuB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2480336213.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.3841328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.4239d08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.382a508.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sWr3wJ0SuB.exe.41deae8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2478482368.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000003809000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1229542979.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sWr3wJ0SuB.exe PID: 4152, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6740, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                  Process Injection                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets13
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.