Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SWcNyi2YBj.exe

Overview

General Information

Sample Name:SWcNyi2YBj.exe
Analysis ID:356842
MD5:413743f8b05dedc18e9d2d2fbe5d6528
SHA1:7b00081e08b8348df7d0940b73ffbecd7de249da
SHA256:9b2db2aaf8c526dff498520e35898c5f3ef718ec198e267a40bfadd926bd358a
Tags:AsyncRATexenVpnRAT
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected AsyncRAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SWcNyi2YBj.exe (PID: 3468 cmdline: 'C:\Users\user\Desktop\SWcNyi2YBj.exe' MD5: 413743F8B05DEDC18E9D2D2FBE5D6528)
    • schtasks.exe (PID: 3412 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SWcNyi2YBj.exe (PID: 5080 cmdline: C:\Users\user\Desktop\SWcNyi2YBj.exe MD5: 413743F8B05DEDC18E9D2D2FBE5D6528)
    • SWcNyi2YBj.exe (PID: 4912 cmdline: C:\Users\user\Desktop\SWcNyi2YBj.exe MD5: 413743F8B05DEDC18E9D2D2FBE5D6528)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Process Memory Space: SWcNyi2YBj.exe PID: 3468JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: SWcNyi2YBj.exe PID: 3468JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.SWcNyi2YBj.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.2.SWcNyi2YBj.exe.26366d4.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.2.SWcNyi2YBj.exe.26366d4.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SWcNyi2YBj.exe' , ParentImage: C:\Users\user\Desktop\SWcNyi2YBj.exe, ParentProcessId: 3468, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp', ProcessId: 3412

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exeReversingLabs: Detection: 23%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SWcNyi2YBj.exeReversingLabs: Detection: 26%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: SWcNyi2YBj.exeJoe Sandbox ML: detected
                      Source: 7.2.SWcNyi2YBj.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: SWcNyi2YBj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: SWcNyi2YBj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06D1F420
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06D1F4D4
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06D1F3C3

                      Networking:

                      barindex
                      Uses dynamic DNS servicesShow sources
                      Source: unknownDNS query: name: newtechublil.ddns.net
                      Source: global trafficTCP traffic: 192.168.2.3:49717 -> 79.134.225.103:8675
                      Source: Joe Sandbox ViewIP Address: 79.134.225.103 79.134.225.103
                      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
                      Source: unknownDNS traffic detected: queries for: newtechublil.ddns.net
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 3468, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 4912, type: MEMORY
                      Source: Yara matchFile source: 7.2.SWcNyi2YBj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      .NET source code contains very large stringsShow sources
                      Source: SWcNyi2YBj.exe, frmlogin.csLong String: Length: 13656
                      Source: mWSqBKhLOazUTy.exe.0.dr, frmlogin.csLong String: Length: 13656
                      Source: 0.0.SWcNyi2YBj.exe.d0000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 0.2.SWcNyi2YBj.exe.d0000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 6.0.SWcNyi2YBj.exe.230000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 6.2.SWcNyi2YBj.exe.230000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: 7.2.SWcNyi2YBj.exe.830000.1.unpack, frmlogin.csLong String: Length: 13656
                      Source: 7.0.SWcNyi2YBj.exe.830000.0.unpack, frmlogin.csLong String: Length: 13656
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_000D95300_2_000D9530
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_0090C0D40_2_0090C0D4
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_0090E5910_2_0090E591
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_0090E5A00_2_0090E5A0
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D1C7A60_2_06D1C7A6
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D100400_2_06D10040
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D144890_2_06D14489
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D10D800_2_06D10D80
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D1DBB00_2_06D1DBB0
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D12B400_2_06D12B40
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D12B300_2_06D12B30
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 6_2_002395306_2_00239530
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 7_2_008395307_2_00839530
                      Source: SWcNyi2YBj.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mWSqBKhLOazUTy.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SWcNyi2YBj.exe, 00000000.00000002.253881383.0000000007330000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.239292603.000000000016A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.254006511.0000000007430000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.254006511.0000000007430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240619537.00000000034C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.253416018.0000000006AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.253815176.0000000007080000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000006.00000000.236554671.00000000002CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000007.00000002.479377550.000000000040E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000007.00000002.488056116.00000000051A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000007.00000000.237603155.00000000008CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000007.00000002.481116243.0000000000FCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exe, 00000007.00000002.488189504.0000000005570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exeBinary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe
                      Source: SWcNyi2YBj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: SWcNyi2YBj.exe, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: mWSqBKhLOazUTy.exe.0.dr, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.SWcNyi2YBj.exe.d0000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.SWcNyi2YBj.exe.d0000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 6.0.SWcNyi2YBj.exe.230000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 6.2.SWcNyi2YBj.exe.230000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 7.2.SWcNyi2YBj.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'vKQomjjID6a8XQ8GxdbIyfsuKtY9qd3I1OpOf2m36Y9LoTiFdlkAZDnk0/W2q0BxRjXdFxWximN/uVFag1I8Ip9UdUEjL4Tv2dzkYuFMCtE=', 'iNMGox+XlBr/4b9xNRUzQWx/ahxE74cvF8V8rvEedWDKHIjICuy59VFuO8jwVrrEvVeLsQPvO4Abq/Vrag5gog==', '/xj/ErNJUuu6GF0ppCVmybsXZSrPvZLaJWI4oz3Y9ui1d1g/OoLnpt99AyiRCJX3Ji9gBpjQ/jBOjVBIDCWqwQ==', 'jucNLhO+DgnkzxgnEJQRvD4jr9n9jQM+aRcykvDNm/fbZ2oOw2PHyasroOPHZDDCUklHuQirnh2+yZZ1/YLYYQBMfhv+4bHOOFJv8O+6PHsgtI6bVc+vHLseawaJtVCg3pBcBrcQeJ1beUuu1DD8S/6PNm73FIDITtbpwnV/c0QUn151X9/KDFl8VVi/zY9uaB7B+8Ke7b3H2jbHITRNjm1/atiLssq0LrY4XHX+a576+IKYpfKeWWa9qAmRXsFY0V37aclzBXyWpknL4Qc8atHD+8k1Fx9s62reqnV2Zfvnnef4zVCFnAcvywVDNYCOZDn48tS+q7GCEBQjA5Uj3qD4+ZGPGL3m4aNPTrbscklVbl1E3D1LimTRiAhJgGeP01MOznL8z3OMY0Xpal3U3wg7xaYvYGJTDAmM/otoBlBJzIpE5BIyJd33o0G838m9Ga/ZxARLhJ6Foi0VMLkaIqhy4rueB1CUjiYU6eKxGcD0zWZog3H8LHZNQm34mS7qvlXRuOttpkfUv8lWuZx/BeG+UCM3O5hIQRvzwaLJU+e4Ay2NaBZCUtSyHbVelKvQap1Bi5Tzh8d2upWZXsL+YWlSev8AFOFVovFnSXpBiLOaFX5Y21oefgx1vun999LOETR7oG7/EtMOgumeKJeOW5+u1BjimY3BODjWS9Smn699Zqkup7ecpxKquLnZxWqKxpZfahopYcDeOaCZKZ/Wy1Mw78anMICYqQyKU/TrNfa8wzygaqi4YYfuthQnd8e6eu5BXeLxkDkioWRaASyzd5Rza3+ASyXm5p4byU061quX2T0nuoeg8Nght3RUmzV0nd3t8Vuwf0t899eZw1CRLs+8HzRG8VfMsgVv9bqDXSQqN0eOE6g59vXuWtzzr2Q5+3AhJ5efLb6MIBSw/8Aj+lu1U/0my9yVWpzLHkbd4GWSSX1WuUIwaRBEUo8awmSW24mWYTi0BjzhpFCyswAJGQ==', 'utTumk00gq5YlI38esGbFSBkWgHzUIedLvhqu/o/GvH0hpgStZKqbr4iFSnMb3ZHqzU7N9MczDJEjOjylD95rg==', 'J8YKpfXgRD/ryDEx/DMsH4DLqjiYIdtEebBlU9nOUKDcy62TebhAFiBdNHrMRp9iGxixOkHZqCDPyvtuYJUdjA==', 'U5VNHko73YQurs4shvIzJJqhzUVgZ64cwoJP/y/EREB/Ov8KsOCI9NAHz8BUAgMAHHstuRnwPkbgFtNP2vtYww=='
                      Source: 7.2.SWcNyi2YBj.exe.830000.1.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 7.0.SWcNyi2YBj.exe.830000.0.unpack, frmlogin.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@18/1
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile created: C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exeJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeMutant created: \Sessions\1\BaseNamedObjects\WgROkbFeKuQ
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1156:120:WilError_01
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3DE4.tmpJump to behavior
                      Source: SWcNyi2YBj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SWcNyi2YBj.exeReversingLabs: Detection: 26%
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile read: C:\Users\user\Desktop\SWcNyi2YBj.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe 'C:\Users\user\Desktop\SWcNyi2YBj.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe C:\Users\user\Desktop\SWcNyi2YBj.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe C:\Users\user\Desktop\SWcNyi2YBj.exe
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe C:\Users\user\Desktop\SWcNyi2YBj.exeJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe C:\Users\user\Desktop\SWcNyi2YBj.exeJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SWcNyi2YBj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SWcNyi2YBj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: SWcNyi2YBj.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: mWSqBKhLOazUTy.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.SWcNyi2YBj.exe.d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.SWcNyi2YBj.exe.d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.SWcNyi2YBj.exe.230000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.SWcNyi2YBj.exe.230000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.SWcNyi2YBj.exe.830000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.SWcNyi2YBj.exe.830000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D18747 push es; ret 0_2_06D18748
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeCode function: 0_2_06D18545 push es; iretd 0_2_06D18564
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.13520516596
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.13520516596
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile created: C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 3468, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 4912, type: MEMORY
                      Source: Yara matchFile source: 7.2.SWcNyi2YBj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpack, type: UNPACKEDPE
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp'
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 3468, type: MEMORY
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpack, type: UNPACKEDPE
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 3468, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 4912, type: MEMORY
                      Source: Yara matchFile source: 7.2.SWcNyi2YBj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpack, type: UNPACKEDPE
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, SWcNyi2YBj.exe, 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exe TID: 4464Thread sleep time: -103493s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exe TID: 492Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exe TID: 6060Thread sleep time: -55000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SWcNyi2YBj.exe, 00000007.00000002.487982594.000000000512A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwa
                      Source: SWcNyi2YBj.exe, 00000007.00000002.488189504.0000000005570000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: SWcNyi2YBj.exe, 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
                      Source: SWcNyi2YBj.exe, 00000007.00000002.488189504.0000000005570000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: SWcNyi2YBj.exe, 00000007.00000002.488189504.0000000005570000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: SWcNyi2YBj.exe, 00000007.00000002.488189504.0000000005570000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeMemory written: C:\Users\user\Desktop\SWcNyi2YBj.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe C:\Users\user\Desktop\SWcNyi2YBj.exeJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeProcess created: C:\Users\user\Desktop\SWcNyi2YBj.exe C:\Users\user\Desktop\SWcNyi2YBj.exeJump to behavior
                      Source: SWcNyi2YBj.exe, 00000007.00000002.481790129.0000000001630000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: SWcNyi2YBj.exe, 00000007.00000002.481790129.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: SWcNyi2YBj.exe, 00000007.00000002.481790129.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: SWcNyi2YBj.exe, 00000007.00000002.481790129.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Users\user\Desktop\SWcNyi2YBj.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeQueries volume information: C:\Users\user\Desktop\SWcNyi2YBj.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SWcNyi2YBj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 3468, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWcNyi2YBj.exe PID: 4912, type: MEMORY
                      Source: Yara matchFile source: 7.2.SWcNyi2YBj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.26366d4.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsScheduled Task/Job2Scheduled Task/Job2Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job2Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information131LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing12Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SWcNyi2YBj.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      SWcNyi2YBj.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exe23%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.SWcNyi2YBj.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      0.2.SWcNyi2YBj.exe.26366d4.1.unpack100%AviraHEUR/AGEN.1110362Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      newtechublil.ddns.net
                      		79.134.225.103
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fonts.comSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sakkal.comSWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                79.134.225.103
                                                		unknownSwitzerland
                                                		6775FINK-TELECOM-SERVICESCHtrue

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:356842
                                                Start date:23.02.2021
                                                Start time:17:42:49
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 51s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:SWcNyi2YBj.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:31
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@8/4@18/1
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 98%
                                                • Number of executed functions: 56
                                                • Number of non-executed functions: 8
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.147.198.201, 13.64.90.137, 104.42.151.234, 23.211.6.115, 184.30.20.56, 51.104.139.180, 8.250.157.254, 8.248.95.254, 8.238.27.126, 8.241.80.126, 8.248.123.254, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.11.168.160
                                                • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356842/sample/SWcNyi2YBj.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                17:43:49API Interceptor2x Sleep call for process: SWcNyi2YBj.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                79.134.225.103dabs (1).exeGet hashmaliciousBrowse
                                                  dabsssss.exeGet hashmaliciousBrowse
                                                    PO UGT.exeGet hashmaliciousBrowse
                                                      feTtSsyXeBsJZUl.exeGet hashmaliciousBrowse
                                                        zAlNQ6GMGIHd4EB.exeGet hashmaliciousBrowse
                                                          I6sSftkh08BcVNE.exeGet hashmaliciousBrowse
                                                            t7Beia0TdGFsj4p.exeGet hashmaliciousBrowse
                                                              4paH8ucrAcKqEss.exeGet hashmaliciousBrowse
                                                                N9dbGzB9HSZWe4S.exeGet hashmaliciousBrowse
                                                                  bedrapes.exeGet hashmaliciousBrowse
                                                                    6PO.exeGet hashmaliciousBrowse
                                                                      OFFICE.exeGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        newtechublil.ddns.netREQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.76
                                                                        RFQ.exeGet hashmaliciousBrowse
                                                                        • 91.193.75.17
                                                                        ulY3ZgnMai.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.8

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        FINK-TELECOM-SERVICESCHConfirmation Transfer Note Ref Number0002636.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.8
                                                                        TdX45jQWjj.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.43
                                                                        e92b274943f4a3a557881ee0dd57772d.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.105
                                                                        WxTm2cWLHF.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.71
                                                                        Payment Confirmation.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.30
                                                                        rjHlt1zz28.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.49
                                                                        Deadly Variants of Covid 19.docGet hashmaliciousBrowse
                                                                        • 79.134.225.49
                                                                        document.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.122
                                                                        5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.105
                                                                        f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.105
                                                                        256ec8f8f67b59c5e085b0bb63afcd13.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.105
                                                                        JOIN.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.30
                                                                        Delivery pdf.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.25
                                                                        d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.105
                                                                        fnfqzfwC44.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.25
                                                                        Solicitud de oferta 6100003768.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.96
                                                                        Nrfgylra.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.96
                                                                        HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.62
                                                                        HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.62
                                                                        HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                        • 79.134.225.62

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWcNyi2YBj.exe.log
                                                                        Process:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                        Malicious:true
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                        C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp
                                                                        Process:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1647
                                                                        Entropy (8bit):5.198515785095118
                                                                        Encrypted:false
                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBYtn:cbh47TlNQ//rydbz9I3YODOLNdq3g
                                                                        MD5:F673893CB70D0D66CFF6A2C9EFCC203A
                                                                        SHA1:3ABA1096F1DC32391C67402EA3B144034FF468CC
                                                                        SHA-256:728E077C3F91752E5653161656169D61323C80C2A1BBA5FF6AE465A49354ADC7
                                                                        SHA-512:7185A9F6388406E9626FA7DFBC809F2A760D3526FF5F60980CB63B5B7A98F508AC1273758F96D608815CB7EE512A4E506CC98034E086CD94DB0155FE7358CECB
                                                                        Malicious:true
                                                                        Reputation:low
                                                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                        C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exe
                                                                        Process:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):724992
                                                                        Entropy (8bit):6.611620887453061
                                                                        Encrypted:false
                                                                        SSDEEP:12288:pG/bvRU9z7ZB2uXI5tARzjnOeX6nKAZgDpaSO3nMJibf41y99zzSl+XoEzz1w5Uy:pG/+9zf2gKrB9zztzzK
                                                                        MD5:413743F8B05DEDC18E9D2D2FBE5D6528
                                                                        SHA1:7B00081E08B8348DF7D0940B73FFBECD7DE249DA
                                                                        SHA-256:9B2DB2AAF8C526DFF498520E35898C5F3EF718EC198E267A40BFADD926BD358A
                                                                        SHA-512:C3306C58CED2C58BA765116A07192D03424FD4568C1AE5F99359CB0ECB504CA109AFBD082DA00A665096F2EC330CBEE55DF655D557F1B12AB37F0C9577071280
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 23%
                                                                        Reputation:low
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3`..............P..^..........j|... ........@.. .......................`............@..................................|..O...........................@....................................................... ............... ..H............text...p\... ...^.................. ..`.rsrc...............`..............@..@.reloc.......@......................@..B................L|......H.......8Y...T.............H.............................................( ...*&..(!....*.s"........s#........s$........s%........s&........*...0...........~....o'....+..*.0...........~....o(....+..*.0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+..*.0...........~.....+..*".......*.0..&........(....r)..p~....o0...(1.....t$....+..*Vs....(2...t.........*..(3...*.0..........
                                                                        C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exe:Zone.Identifier
                                                                        Process:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Reputation:high, very likely benign file
                                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):6.611620887453061
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:SWcNyi2YBj.exe
                                                                        File size:724992
                                                                        MD5:413743f8b05dedc18e9d2d2fbe5d6528
                                                                        SHA1:7b00081e08b8348df7d0940b73ffbecd7de249da
                                                                        SHA256:9b2db2aaf8c526dff498520e35898c5f3ef718ec198e267a40bfadd926bd358a
                                                                        SHA512:c3306c58ced2c58ba765116a07192d03424fd4568c1ae5f99359cb0ecb504ca109afbd082da00a665096f2ec330cbee55df655d557f1b12ab37f0c9577071280
                                                                        SSDEEP:12288:pG/bvRU9z7ZB2uXI5tARzjnOeX6nKAZgDpaSO3nMJibf41y99zzSl+XoEzz1w5Uy:pG/+9zf2gKrB9zztzzK
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3`..............P..^..........j|... ........@.. .......................`............@................................

                                                                        File Icon

                                                                        Icon Hash:f08f888c8e8e8730

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x457c6a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x6033D2E6 [Mon Feb 22 15:51:02 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x57c180x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x5acd0.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x55c700x55e00False0.674169282205data7.13520516596IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x580000x5acd00x5ae00False0.101229367263data5.55258821771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xb40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x582200x42028dBase III DBT, version number 0, next free block index 40
                                                                        RT_ICON0x9a2480x468GLS_BINARY_LSB_FIRST
                                                                        RT_ICON0x9a6b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0x9cc580x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                        RT_ICON0x9dd000x10828dBase III DBT, version number 0, next free block index 40
                                                                        RT_ICON0xae5280x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                        RT_GROUP_ICON0xb27500x5adata
                                                                        RT_VERSION0xb27ac0x338data
                                                                        RT_MANIFEST0xb2ae40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright Microsoft 2014
                                                                        Assembly Version1.0.0.0
                                                                        InternalNameSHA384.exe
                                                                        FileVersion1.0.0.0
                                                                        CompanyNameMicrosoft
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameWinClient
                                                                        ProductVersion1.0.0.0
                                                                        FileDescriptionWinClient
                                                                        OriginalFilenameSHA384.exe

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 23, 2021 17:44:03.105317116 CET497178675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:03.191925049 CET86754971779.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:03.863028049 CET497178675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:03.950175047 CET86754971779.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:04.472395897 CET497178675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:04.559859991 CET86754971779.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:09.652251005 CET497218675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:09.740115881 CET86754972179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:10.363591909 CET497218675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:10.449055910 CET86754972179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:10.972980022 CET497218675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:11.058640003 CET86754972179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:16.228962898 CET497248675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:16.311551094 CET86754972479.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:16.817193985 CET497248675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:16.902813911 CET86754972479.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:17.504775047 CET497248675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:17.592001915 CET86754972479.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:22.903727055 CET497258675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:22.987723112 CET86754972579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:23.520935059 CET497258675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:23.605128050 CET86754972579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:24.208554029 CET497258675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:24.293292046 CET86754972579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:29.396760941 CET497268675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:29.482269049 CET86754972679.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:29.990196943 CET497268675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:30.075594902 CET86754972679.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:30.584013939 CET497268675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:30.670018911 CET86754972679.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:35.748512030 CET497288675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:35.831305981 CET86754972879.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:36.334497929 CET497288675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:36.494031906 CET86754972879.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:37.006361008 CET497288675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:37.089211941 CET86754972879.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:42.206016064 CET497308675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:42.290887117 CET86754973079.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:42.803889990 CET497308675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:42.890052080 CET86754973079.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:43.397552967 CET497308675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:43.480703115 CET86754973079.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:48.562206984 CET497318675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:48.646739006 CET86754973179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:49.148060083 CET497318675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:49.232023001 CET86754973179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:49.741868973 CET497318675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:49.828656912 CET86754973179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:54.907299995 CET497358675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:54.994627953 CET86754973579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:55.508002996 CET497358675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:55.593450069 CET86754973579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:44:56.101721048 CET497358675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:44:56.190965891 CET86754973579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:01.309381962 CET497418675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:01.392326117 CET86754974179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:01.899068117 CET497418675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:01.983769894 CET86754974179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:02.492978096 CET497418675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:02.575634003 CET86754974179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:07.658233881 CET497428675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:07.743900061 CET86754974279.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:08.258971930 CET497428675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:08.346327066 CET86754974279.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:08.852788925 CET497428675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:08.938304901 CET86754974279.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:14.017774105 CET497438675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:14.105139971 CET86754974379.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:14.618869066 CET497438675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:14.704482079 CET86754974379.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:15.226310015 CET497438675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:15.315165997 CET86754974379.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:20.440475941 CET497448675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:20.523124933 CET86754974479.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:21.025955915 CET497448675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:21.108951092 CET86754974479.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:21.619462967 CET497448675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:21.702661991 CET86754974479.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:26.783905983 CET497458675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:26.869257927 CET86754974579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:27.369971037 CET497458675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:27.457417965 CET86754974579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:27.963754892 CET497458675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:28.051026106 CET86754974579.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:33.125773907 CET497488675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:33.208446026 CET86754974879.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:33.714291096 CET497488675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:33.797103882 CET86754974879.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:34.308130980 CET497488675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:34.390979052 CET86754974879.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:39.499028921 CET497498675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:39.581712961 CET86754974979.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:40.089854956 CET497498675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:40.174037933 CET86754974979.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:40.683594942 CET497498675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:40.768460989 CET86754974979.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:45.849132061 CET497508675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:45.931723118 CET86754975079.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:46.434417963 CET497508675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:46.517024994 CET86754975079.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:47.027836084 CET497508675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:47.112266064 CET86754975079.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:52.181550026 CET497518675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:52.266947985 CET86754975179.134.225.103192.168.2.3
                                                                        Feb 23, 2021 17:45:52.778350115 CET497518675192.168.2.379.134.225.103
                                                                        Feb 23, 2021 17:45:52.873179913 CET86754975179.134.225.103192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Feb 23, 2021 17:43:35.327290058 CET5128153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:35.379692078 CET53512818.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:36.108521938 CET4919953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:36.160074949 CET53491998.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:36.971259117 CET5062053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:37.043848991 CET53506208.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:38.186973095 CET6493853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:38.238607883 CET53649388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:38.541035891 CET6015253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:38.607603073 CET53601528.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:39.498251915 CET5754453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:39.547049046 CET53575448.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:40.867343903 CET5598453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:40.918814898 CET53559848.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:42.044867039 CET6418553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:42.093602896 CET53641858.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:43.429733038 CET6511053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:43.489700079 CET53651108.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:44.706145048 CET5836153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:44.755294085 CET53583618.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:45.675206900 CET6349253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:45.724040031 CET53634928.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:46.575237036 CET6083153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:46.623881102 CET53608318.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:47.815298080 CET6010053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:47.863918066 CET53601008.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:49.237941980 CET5319553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:49.286633015 CET53531958.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:50.495012999 CET5014153192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:50.553633928 CET53501418.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:51.710032940 CET5302353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:51.758600950 CET53530238.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:52.886774063 CET4956353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:52.946746111 CET53495638.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:43:54.075249910 CET5135253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:43:54.128885984 CET53513528.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:03.032732010 CET5934953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:03.091830969 CET53593498.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:07.196192980 CET5708453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:07.255497932 CET53570848.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:09.591444969 CET5882353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:09.650608063 CET53588238.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:13.450990915 CET5756853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:13.499706030 CET53575688.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:16.092787027 CET5054053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:16.152749062 CET53505408.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:22.840045929 CET5436653192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:22.901628017 CET53543668.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:29.336308956 CET5303453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:29.393642902 CET53530348.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:30.755537033 CET5776253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:30.817784071 CET53577628.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:35.687403917 CET5543553192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:35.746407032 CET53554358.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:40.642918110 CET5071353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:40.712431908 CET53507138.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:42.143765926 CET5613253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:42.203774929 CET53561328.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:48.508322954 CET5898753192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:48.560257912 CET53589878.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:54.448518038 CET5657953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:54.501279116 CET53565798.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:44:54.845721006 CET6063353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:44:54.905570984 CET53606338.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:00.655599117 CET6129253192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:00.714571953 CET53612928.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:01.259339094 CET6361953192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:01.307837009 CET53636198.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:07.595879078 CET6493853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:07.655770063 CET53649388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:13.956756115 CET6194653192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:14.015863895 CET53619468.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:20.381505966 CET6491053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:20.438465118 CET53649108.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:26.723320961 CET5212353192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:26.782072067 CET53521238.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:30.229089975 CET5613053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:30.280635118 CET53561308.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:31.795489073 CET5633853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:31.860456944 CET53563388.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:33.067162991 CET5942053192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:33.124275923 CET53594208.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:39.438234091 CET5878453192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:39.497051954 CET53587848.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:45.786523104 CET6397853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:45.846759081 CET53639788.8.8.8192.168.2.3
                                                                        Feb 23, 2021 17:45:52.123995066 CET6293853192.168.2.38.8.8.8
                                                                        Feb 23, 2021 17:45:52.181025028 CET53629388.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Feb 23, 2021 17:44:03.032732010 CET192.168.2.38.8.8.80x7f48Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:09.591444969 CET192.168.2.38.8.8.80x3dfStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:16.092787027 CET192.168.2.38.8.8.80x4586Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:22.840045929 CET192.168.2.38.8.8.80xa9d6Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:29.336308956 CET192.168.2.38.8.8.80x7b92Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:35.687403917 CET192.168.2.38.8.8.80xd4faStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:42.143765926 CET192.168.2.38.8.8.80x9d28Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:48.508322954 CET192.168.2.38.8.8.80x1b71Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:54.845721006 CET192.168.2.38.8.8.80xa1efStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:01.259339094 CET192.168.2.38.8.8.80xd19dStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:07.595879078 CET192.168.2.38.8.8.80x233Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:13.956756115 CET192.168.2.38.8.8.80x3bd1Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:20.381505966 CET192.168.2.38.8.8.80x373fStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:26.723320961 CET192.168.2.38.8.8.80x4996Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:33.067162991 CET192.168.2.38.8.8.80xfecbStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:39.438234091 CET192.168.2.38.8.8.80x6506Standard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:45.786523104 CET192.168.2.38.8.8.80x19acStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:52.123995066 CET192.168.2.38.8.8.80x416dStandard query (0)newtechublil.ddns.netA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Feb 23, 2021 17:44:03.091830969 CET8.8.8.8192.168.2.30x7f48No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:09.650608063 CET8.8.8.8192.168.2.30x3dfNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:16.152749062 CET8.8.8.8192.168.2.30x4586No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:22.901628017 CET8.8.8.8192.168.2.30xa9d6No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:29.393642902 CET8.8.8.8192.168.2.30x7b92No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:35.746407032 CET8.8.8.8192.168.2.30xd4faNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:42.203774929 CET8.8.8.8192.168.2.30x9d28No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:48.560257912 CET8.8.8.8192.168.2.30x1b71No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:44:54.905570984 CET8.8.8.8192.168.2.30xa1efNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:01.307837009 CET8.8.8.8192.168.2.30xd19dNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:07.655770063 CET8.8.8.8192.168.2.30x233No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:14.015863895 CET8.8.8.8192.168.2.30x3bd1No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:20.438465118 CET8.8.8.8192.168.2.30x373fNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:26.782072067 CET8.8.8.8192.168.2.30x4996No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:33.124275923 CET8.8.8.8192.168.2.30xfecbNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:39.497051954 CET8.8.8.8192.168.2.30x6506No error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:45.846759081 CET8.8.8.8192.168.2.30x19acNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)
                                                                        Feb 23, 2021 17:45:52.181025028 CET8.8.8.8192.168.2.30x416dNo error (0)newtechublil.ddns.net79.134.225.103A (IP address)IN (0x0001)

                                                                        Code Manipulations

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: SWcNyi2YBj.exe PID: 3468 Parent PID: 5564

                                                                        General

                                                                        Start time:17:43:42
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\SWcNyi2YBj.exe'
                                                                        Imagebase:0xd0000
                                                                        File size:724992 bytes
                                                                        MD5 hash:413743F8B05DEDC18E9D2D2FBE5D6528
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: schtasks.exe PID: 3412 Parent PID: 3468

                                                                        General

                                                                        Start time:17:43:52
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp'
                                                                        Imagebase:0xf20000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: conhost.exe PID: 1156 Parent PID: 3412

                                                                        General

                                                                        Start time:17:43:52
                                                                        Start date:23/02/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: SWcNyi2YBj.exe PID: 5080 Parent PID: 3468

                                                                        General

                                                                        Start time:17:43:53
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        Imagebase:0x230000
                                                                        File size:724992 bytes
                                                                        MD5 hash:413743F8B05DEDC18E9D2D2FBE5D6528
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: SWcNyi2YBj.exe PID: 4912 Parent PID: 3468

                                                                        General

                                                                        Start time:17:43:53
                                                                        Start date:23/02/2021
                                                                        Path:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\SWcNyi2YBj.exe
                                                                        Imagebase:0x830000
                                                                        File size:724992 bytes
                                                                        MD5 hash:413743F8B05DEDC18E9D2D2FBE5D6528
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >

                                                                          Analysis Process: SWcNyi2YBj.exe PID: 3468 Parent PID: 5564 SWcNyi2YBj.exeCOMMON

                                                                          Executed Functions

                                                                          Function 06D10040, Relevance: .9, Instructions: 899COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b138e283f6eb6597c660ba9449bbcdfc45de9800321a345e86a2435f574a5cd
                                                                          • Instruction ID: 597869a8c08531446828c1108d436055c8ef9f58937e2ed84beedc4408b11332
                                                                          • Opcode Fuzzy Hash: 7b138e283f6eb6597c660ba9449bbcdfc45de9800321a345e86a2435f574a5cd
                                                                          • Instruction Fuzzy Hash: 8C725C70A00119AFDB54EFA8D894AAEBBF6FF88304F158469E505EB351DB70DD81CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1C7A6, Relevance: .4, Instructions: 390COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7a0627942340f037bffea720d947e627a0756ae81107e11925470b4b3e0fe5fb
                                                                          • Instruction ID: b9dac74b4aaec3c1e66cfaa748b6bb3a28c590a3eeb216c6ad34e3de2f0282a8
                                                                          • Opcode Fuzzy Hash: 7a0627942340f037bffea720d947e627a0756ae81107e11925470b4b3e0fe5fb
                                                                          • Instruction Fuzzy Hash: F3020570D412289FDBA4DF64D844BEDBBB1BF89304F1085EAD019AB291DBB45AC4CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1DBB0, Relevance: .3, Instructions: 274COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9817032cbc3b49999ef5ca31afbf78bd4bf8374734970c0fea99fde1fa975458
                                                                          • Instruction ID: bb0511db18c4ec4114edad758226d0f0adaa7d44d01535fc3182bfa46a10301a
                                                                          • Opcode Fuzzy Hash: 9817032cbc3b49999ef5ca31afbf78bd4bf8374734970c0fea99fde1fa975458
                                                                          • Instruction Fuzzy Hash: FBB17E71A00215AFCB54DFA9D984A9ABBF3FF84310F568458E815AF361CBB0ED41CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1F3C3, Relevance: .1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 72fec968cb949d290d449c3cf3c999a4e78c6d15712e9990ed98610191a50a4e
                                                                          • Instruction ID: 6fbd3e035a18d46209ecae49b0b9b2e1893badfae1fa265139e12b18a25ffae8
                                                                          • Opcode Fuzzy Hash: 72fec968cb949d290d449c3cf3c999a4e78c6d15712e9990ed98610191a50a4e
                                                                          • Instruction Fuzzy Hash: BF31B1308093849FDB128F70D514AEDBFF1BF4E300F1485A6D485BB2A2C7758988CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1F420, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cd71f1e105ab6dcdd899e17b394bda3d0eb7a8f4e6d19b9670187781387dcc42
                                                                          • Instruction ID: d9dc2062f7e93e9de6638fee4df0fa7fad446d7148948080b7d821b01b62e81d
                                                                          • Opcode Fuzzy Hash: cd71f1e105ab6dcdd899e17b394bda3d0eb7a8f4e6d19b9670187781387dcc42
                                                                          • Instruction Fuzzy Hash: 6E115770D042189FDB14CFA5E518BEEBBF1BB4E311F14906AD481B7290C7B88984CB68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1F4D4, Relevance: .0, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5b2d0ca246cdd12b4e6770c36c7c3179dfa15c353f9d34bb7c124021f24a8b0e
                                                                          • Instruction ID: 049058965481324b802415eb5e957f559533e3f5a4408b6ce2e0b4e0d7f7441b
                                                                          • Opcode Fuzzy Hash: 5b2d0ca246cdd12b4e6770c36c7c3179dfa15c353f9d34bb7c124021f24a8b0e
                                                                          • Instruction Fuzzy Hash: D4E09BA184D395AFD7518F64AD25676BFF0AB0B200F149086D082FB151D2A8C545D765
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090B7E3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0090B850
                                                                          • GetCurrentThread.KERNEL32 ref: 0090B88D
                                                                          • GetCurrentProcess.KERNEL32 ref: 0090B8CA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0090B923
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID: ~qsL
                                                                          • API String ID: 2063062207-2230267226
                                                                          • Opcode ID: cd65b83a2d661c6543780e44c4ffdc6625cec6b46f8b46c844ceb94b0f1b35cf
                                                                          • Instruction ID: e59e9cd945876866f981b9ccce7c6cf040672526f0e752514407bd2a7df6e3fb
                                                                          • Opcode Fuzzy Hash: cd65b83a2d661c6543780e44c4ffdc6625cec6b46f8b46c844ceb94b0f1b35cf
                                                                          • Instruction Fuzzy Hash: 8D5174B0D052488FDB14CFA9D648BEEBFF4AF49304F258499E418A73A1D7745848CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090B7F0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0090B850
                                                                          • GetCurrentThread.KERNEL32 ref: 0090B88D
                                                                          • GetCurrentProcess.KERNEL32 ref: 0090B8CA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0090B923
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID: ~qsL
                                                                          • API String ID: 2063062207-2230267226
                                                                          • Opcode ID: 68ea0cbe04052d8a63af2c45122b8b255c882c7b245dbb00e045d08ec7fb84a1
                                                                          • Instruction ID: eec379112eae39cc86cd8d36d034a13ffaa52c9b728ac23894ba2750f67d997f
                                                                          • Opcode Fuzzy Hash: 68ea0cbe04052d8a63af2c45122b8b255c882c7b245dbb00e045d08ec7fb84a1
                                                                          • Instruction Fuzzy Hash: 205154B0D012488FDB14CFA9D648BEEBBF5BF48304F208469E419A73A0D7745844CF65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A8B5, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D1AAF6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID: ~qsL$~qsL
                                                                          • API String ID: 963392458-2321737412
                                                                          • Opcode ID: 581ece445f53a715828299d4e5c9c8dafd65d7ead230d45849422427ed949abf
                                                                          • Instruction ID: 68c88f0e6caba67c674c08652bb8c1e2fb38645d6eae23bab9d50e2a3813059f
                                                                          • Opcode Fuzzy Hash: 581ece445f53a715828299d4e5c9c8dafd65d7ead230d45849422427ed949abf
                                                                          • Instruction Fuzzy Hash: 69A1B071D01219DFDB60CFA8DD40BDEBBB2BF48304F198569E809AB240DBB48985CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A8C0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D1AAF6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID: ~qsL$~qsL
                                                                          • API String ID: 963392458-2321737412
                                                                          • Opcode ID: 3efc1557e8e5fd58286d40a1f83ff1e343cb7f8d4ffc1a82ce975273d801dd4d
                                                                          • Instruction ID: 5f0e449860a3c73c0f00b27a20b0f71ec6ddeb8552a6d4e41ded24519d2bc12d
                                                                          • Opcode Fuzzy Hash: 3efc1557e8e5fd58286d40a1f83ff1e343cb7f8d4ffc1a82ce975273d801dd4d
                                                                          • Instruction Fuzzy Hash: 5E91AE71D01219DFDB60CFA8DD807DEBBB2BF48304F198569E809AB240DBB59985CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090FD0C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0090FE2A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID: ~qsL$~qsL
                                                                          • API String ID: 716092398-2321737412
                                                                          • Opcode ID: 86ef210e861d67bfd3c1d932bda74e1e3401ccfe09c5cc92b90281b7322fea4c
                                                                          • Instruction ID: 5e9c369f055a8727bfbba4372a7c55e829e58bb1b97d4b98a8184ccf1ab8a520
                                                                          • Opcode Fuzzy Hash: 86ef210e861d67bfd3c1d932bda74e1e3401ccfe09c5cc92b90281b7322fea4c
                                                                          • Instruction Fuzzy Hash: E451E2B1D003489FDB24CFA9C894ADEBFB5BF88314F25812AE418AB251D7749985CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090FD18, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0090FE2A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID: ~qsL$~qsL
                                                                          • API String ID: 716092398-2321737412
                                                                          • Opcode ID: 0b42ceeda871b0c1ab9b76d7662c82a84c757ccb4a917043a6aa1a701a3a04c1
                                                                          • Instruction ID: a3b95308d37a2f200de359e3e79ae47a0f03ddf7e4213e11592417486d5a2c57
                                                                          • Opcode Fuzzy Hash: 0b42ceeda871b0c1ab9b76d7662c82a84c757ccb4a917043a6aa1a701a3a04c1
                                                                          • Instruction Fuzzy Hash: BB41C0B1D003089FDB24CF99D894ADEBBF5BF88314F25812AE819AB251D7749985CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009094F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00909736
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID: ~qsL
                                                                          • API String ID: 4139908857-2230267226
                                                                          • Opcode ID: bb1483cdb7fa7311e64c7d304a7deb25b3375e69de2b6aa4a96e47637db887ef
                                                                          • Instruction ID: 2e3e4dc0df95c1f2df556a5fa257e234a0b99ff248041e9fb4d94c5c5d5c6fb9
                                                                          • Opcode Fuzzy Hash: bb1483cdb7fa7311e64c7d304a7deb25b3375e69de2b6aa4a96e47637db887ef
                                                                          • Instruction Fuzzy Hash: 8B7126B0A00B058FDB64DF6AD44175AB7F5BF88304F00892DE48ADBA91DB75E909CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A630, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D1A6C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID: ~qsL
                                                                          • API String ID: 3559483778-2230267226
                                                                          • Opcode ID: 1ebc20d0b0cbd176e887b03455d5d3790d014e4465dc201efc58892335f037c7
                                                                          • Instruction ID: 4a805386829ecfb3ae14dca56a0c7662183258ed883751655f3943af28920325
                                                                          • Opcode Fuzzy Hash: 1ebc20d0b0cbd176e887b03455d5d3790d014e4465dc201efc58892335f037c7
                                                                          • Instruction Fuzzy Hash: 602135B1D003499FCB50CFA9D980BEEBBF5FF48354F148429E959A7250DB789944CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D1A6C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID: ~qsL
                                                                          • API String ID: 3559483778-2230267226
                                                                          • Opcode ID: 40a9259989572c3b822e70c41684f558815c9cd95bcbb31395ba48f5d51959aa
                                                                          • Instruction ID: 8848dc040b95d09c05300ed3450aa57f50b8f1c635630024900761926307c76f
                                                                          • Opcode Fuzzy Hash: 40a9259989572c3b822e70c41684f558815c9cd95bcbb31395ba48f5d51959aa
                                                                          • Instruction Fuzzy Hash: FE2126719003499FCB10CFA9D9847EEBBF5FF48354F148429E919A7250D7789954CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A720, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D1A7A8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID: ~qsL
                                                                          • API String ID: 1726664587-2230267226
                                                                          • Opcode ID: c7611807fc31af636eb70e7b7e90464964a245f8acb859fe7a8e1b95691a293e
                                                                          • Instruction ID: f41e9219c53a9f88eb8dcb6b65620bc3265e67c4f5c7c7bf16ebc07c644cd4f9
                                                                          • Opcode Fuzzy Hash: c7611807fc31af636eb70e7b7e90464964a245f8acb859fe7a8e1b95691a293e
                                                                          • Instruction Fuzzy Hash: 5A2136B1C002499FCB10CFA9C880BEEBBF5FF48354F55842AE919A7240D7789905CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A499, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68threadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 06D1A51E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID: ~qsL
                                                                          • API String ID: 1591575202-2230267226
                                                                          • Opcode ID: 2591f317d8e131f108462436d7163231632fb58234641bd3974d6c5bf76b0393
                                                                          • Instruction ID: 34f8126526d0aa6a605b294aff792b495c9de3acd80bbee893148bc49b677d72
                                                                          • Opcode Fuzzy Hash: 2591f317d8e131f108462436d7163231632fb58234641bd3974d6c5bf76b0393
                                                                          • Instruction Fuzzy Hash: 54215971D042089FDB50DFAAD8847EEBBF5EF88364F148429D419A7240DB78A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090BA11, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0090BA9F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID: ~qsL
                                                                          • API String ID: 3793708945-2230267226
                                                                          • Opcode ID: dd905332055c72b561698cf527221746fe84046dc42cb07c87bffacbf64c4c2b
                                                                          • Instruction ID: ac3d3f02e342330f2e56b8cfc7730164caf6832c096bf8c73b7d6d05a3a7c515
                                                                          • Opcode Fuzzy Hash: dd905332055c72b561698cf527221746fe84046dc42cb07c87bffacbf64c4c2b
                                                                          • Instruction Fuzzy Hash: BA2100B59002499FDB10CFAAD984ADEBFF8EF48324F14805AE918A7251D378A954CF60
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A728, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D1A7A8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID: ~qsL
                                                                          • API String ID: 1726664587-2230267226
                                                                          • Opcode ID: 6c20c7be6ce2abe8d63b412ae895caa5ad9ce710b3f786e23a3e15a2519d6233
                                                                          • Instruction ID: 971a1647b0df324fb4529857fb8ba5a40ebbbe4eb7c5f4148c9b21ae942e64e7
                                                                          • Opcode Fuzzy Hash: 6c20c7be6ce2abe8d63b412ae895caa5ad9ce710b3f786e23a3e15a2519d6233
                                                                          • Instruction Fuzzy Hash: C82145B1C002499FCB10CFA9C880BEEBBF5FF48314F14842AE918A7240C7789904CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A4A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 06D1A51E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID: ~qsL
                                                                          • API String ID: 1591575202-2230267226
                                                                          • Opcode ID: 69bc4057cfce794869a1a31e8e175d13bdc65d294ac99fe0c35b81cdb09755a7
                                                                          • Instruction ID: 3b3042cccdc187b3f2999bf8b2a0be482f2c2a8c472f0a3d95ded2cfd7daa509
                                                                          • Opcode Fuzzy Hash: 69bc4057cfce794869a1a31e8e175d13bdc65d294ac99fe0c35b81cdb09755a7
                                                                          • Instruction Fuzzy Hash: 40217971D043088FDB10CFA9C8847EEBBF4EF88324F14842AD419A7240DB78A944CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090BA18, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0090BA9F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID: ~qsL
                                                                          • API String ID: 3793708945-2230267226
                                                                          • Opcode ID: 448c617e32ba3c9beb3b43d1307abdc2a2f1fccced36023c5e1fed63b8abc318
                                                                          • Instruction ID: fd67d776bcd71848f738a95a9cc3d70d712825463d2fae13d5be8dc6d15949d2
                                                                          • Opcode Fuzzy Hash: 448c617e32ba3c9beb3b43d1307abdc2a2f1fccced36023c5e1fed63b8abc318
                                                                          • Instruction Fuzzy Hash: 0421D3B5D00248AFDB10CFA9D984ADEBBF9FB48324F15841AE914A7350D378A954CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A571, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D1A5E6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: ~qsL
                                                                          • API String ID: 4275171209-2230267226
                                                                          • Opcode ID: a735d01409b7752a84fc2d17570e4debe9f2e490009313a0fd0cd48194153f15
                                                                          • Instruction ID: 25d56887a3c2c1c7c86ec688d065cc66ce601789747f059a6fdf8df4ab91ee13
                                                                          • Opcode Fuzzy Hash: a735d01409b7752a84fc2d17570e4debe9f2e490009313a0fd0cd48194153f15
                                                                          • Instruction Fuzzy Hash: 671189719042089BCF20DFA9D844BEFBFF9EF88324F148419E515A7250CB75A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009088B8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009097B1,00000800,00000000,00000000), ref: 009099C2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: ~qsL
                                                                          • API String ID: 1029625771-2230267226
                                                                          • Opcode ID: 422c8658b3f297c753d43234c2cf557c5f6c9e157be44f97404725da9eef937e
                                                                          • Instruction ID: 17dc4eae5996aa4bd5bef7f54f8a3deacc3df9031417904fdba87bb2c66f8a20
                                                                          • Opcode Fuzzy Hash: 422c8658b3f297c753d43234c2cf557c5f6c9e157be44f97404725da9eef937e
                                                                          • Instruction Fuzzy Hash: 921126B69043498FCB10CF9AD844BDEFBF8EB88310F11842ED525A7251C375A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00909950, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009097B1,00000800,00000000,00000000), ref: 009099C2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: ~qsL
                                                                          • API String ID: 1029625771-2230267226
                                                                          • Opcode ID: bc32e2f4ccdfde4950e53530da9392bc48ad28257c31692c6ef208ad8b721843
                                                                          • Instruction ID: b3db097ea22b910781353534215cf14cb4b1ced83d1b1c7fe2aba6251bb93ef7
                                                                          • Opcode Fuzzy Hash: bc32e2f4ccdfde4950e53530da9392bc48ad28257c31692c6ef208ad8b721843
                                                                          • Instruction Fuzzy Hash: C41144B6D002498FCB10CFA9C944ADEFBF4AB88310F15841AD465A7251C375A948CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A578, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D1A5E6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: ~qsL
                                                                          • API String ID: 4275171209-2230267226
                                                                          • Opcode ID: 18e5a94d50d938392a30c5509876889bb4201d67c9a75e30be774dfaa96f2bf4
                                                                          • Instruction ID: 2f15037f86b04e4a4e366b05800204b3b8e790c30fa7f84a56377213e55621a6
                                                                          • Opcode Fuzzy Hash: 18e5a94d50d938392a30c5509876889bb4201d67c9a75e30be774dfaa96f2bf4
                                                                          • Instruction Fuzzy Hash: 1F1167729042489FCF10CFA9D8447EFBBF5AF88324F148819D515A7250CB75A944CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A3E9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID: ~qsL
                                                                          • API String ID: 947044025-2230267226
                                                                          • Opcode ID: 9f3b2aeab57d66ea22c6b311d1def2a536eec450a9b2bec0e6e066ecaad2cbf3
                                                                          • Instruction ID: c37f0602d4ac234bb6a0f6f50d6d04ec9d30af47a2ae2c10bc4cae590569780f
                                                                          • Opcode Fuzzy Hash: 9f3b2aeab57d66ea22c6b311d1def2a536eec450a9b2bec0e6e066ecaad2cbf3
                                                                          • Instruction Fuzzy Hash: E1115B71D043488BCB20DFA9D8487EFFFF9AF88224F148419D519A7240CB786944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1A3F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID: ~qsL
                                                                          • API String ID: 947044025-2230267226
                                                                          • Opcode ID: 021ced4f0d806ba6e472e64901b5f806f3220fc57eb1ed1691a6f2b76a8ccecc
                                                                          • Instruction ID: e118a5b433bfcc11d48e45bd10f0bbe8b20e0c601aed63193b327feda0b36a51
                                                                          • Opcode Fuzzy Hash: 021ced4f0d806ba6e472e64901b5f806f3220fc57eb1ed1691a6f2b76a8ccecc
                                                                          • Instruction Fuzzy Hash: E9113A71D043488BDB10DFA9D8447DEFBF9AF88224F158419C519A7240CB78A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009096D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00909736
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID: ~qsL
                                                                          • API String ID: 4139908857-2230267226
                                                                          • Opcode ID: c54e12d5ac2b9098cb32a986fbf5cba26ba849f40b155650ccb90678d85e3f90
                                                                          • Instruction ID: 4d03d714153d1a2285ca7d3b2c2cca40287be566bb537349e9140a0f4c6e7645
                                                                          • Opcode Fuzzy Hash: c54e12d5ac2b9098cb32a986fbf5cba26ba849f40b155650ccb90678d85e3f90
                                                                          • Instruction Fuzzy Hash: A71110B6C006498FCB20CF9AC844BDEFBF8AF88324F15841AD419B7251C378A945CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1E3B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 06D1E41D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID: ~qsL
                                                                          • API String ID: 410705778-2230267226
                                                                          • Opcode ID: 9d0e512d62f985932e9a0c1e5d2d6c6e055f451620b0e88d3e39231a3e6fd07b
                                                                          • Instruction ID: c76724a3a01a382613ad4dbc5d8d34fcc94a08e6755ddc38a92049cd562df8df
                                                                          • Opcode Fuzzy Hash: 9d0e512d62f985932e9a0c1e5d2d6c6e055f451620b0e88d3e39231a3e6fd07b
                                                                          • Instruction Fuzzy Hash: 201115B5800259DFDB20CF99D984BEEBBF4FB88320F10841AE914A7710C375A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1E3C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 06D1E41D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID: ~qsL
                                                                          • API String ID: 410705778-2230267226
                                                                          • Opcode ID: ecfc45d3c8041520db3c0353e18bdd45559cff8a7d501451969a8c41a2902ee9
                                                                          • Instruction ID: b4f055abb7a514852d48e062ac8f1536449f9d68f60c2595871066ebd02d780f
                                                                          • Opcode Fuzzy Hash: ecfc45d3c8041520db3c0353e18bdd45559cff8a7d501451969a8c41a2902ee9
                                                                          • Instruction Fuzzy Hash: 0111E2B58003599FDB20CF99D984BDEBBF8FB48324F11841AE919A7710C375A984CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D1E451, Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,?,?,?), ref: 06D1E41D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 0d0b197e53b44f41986169eac8a0c01309720aec750309b914e1d011a56bad14
                                                                          • Instruction ID: b491684f90e86bc1cb7d527df2f2206af83705f2da69fc6968caf34e0d8cb0ae
                                                                          • Opcode Fuzzy Hash: 0d0b197e53b44f41986169eac8a0c01309720aec750309b914e1d011a56bad14
                                                                          • Instruction Fuzzy Hash: 1321CD71E042689FDB10DFA5E9047EEBBF1AF88300F108469D941BB780C7B99944CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0084D1D4, Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.239815265.000000000084D000.00000040.00000001.sdmp, Offset: 0084D000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5850530e6d3be7d22de216cd7948c8b84f209eed2365b9cb6c72816ce33c90c1
                                                                          • Instruction ID: 5e24daa2b824297845cd5adc8555593385e05cbb6ac9c25c0ed918d374a211ab
                                                                          • Opcode Fuzzy Hash: 5850530e6d3be7d22de216cd7948c8b84f209eed2365b9cb6c72816ce33c90c1
                                                                          • Instruction Fuzzy Hash: 92210771504348DFDB01CF54D9C0B26FBA5FB88318F24CA6DE9098B341C37AE846CA61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0084D01C, Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.239815265.000000000084D000.00000040.00000001.sdmp, Offset: 0084D000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2f601f19fbdb30dbeeed9bbdeaf1f3b5093b458aa01bff9d46158806244530d4
                                                                          • Instruction ID: b9d0dfb22fbbeebbf9340a62e8497f493622f52c205af9efe57b6746640ebe8d
                                                                          • Opcode Fuzzy Hash: 2f601f19fbdb30dbeeed9bbdeaf1f3b5093b458aa01bff9d46158806244530d4
                                                                          • Instruction Fuzzy Hash: 8A21F571504748DFCB14CF24D9C4B16BB65FB88318F24C96DD8098B346C33AD847CA61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0084D017, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.239815265.000000000084D000.00000040.00000001.sdmp, Offset: 0084D000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
                                                                          • Instruction ID: 47e081172a5450e04fa1b185542a8338129666006b1493399aa44d0b540d2bba
                                                                          • Opcode Fuzzy Hash: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
                                                                          • Instruction Fuzzy Hash: EE11BB75504784CFCB11CF10D5C4B15BBA1FB84324F28C6AAD8098B696C33AD84ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0084D1CF, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.239815265.000000000084D000.00000040.00000001.sdmp, Offset: 0084D000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
                                                                          • Instruction ID: 7292f0dea14aff54745a77b0fd22452541aed987ebe60a8c49e45e1da826e81b
                                                                          • Opcode Fuzzy Hash: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
                                                                          • Instruction Fuzzy Hash: 6C118B75504384DFCB11CF10D5C4B15BBA1FB84324F28C6A9D8498B696C37AE85ACB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 06D14489, Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: s
                                                                          • API String ID: 0-453955339
                                                                          • Opcode ID: a95d84c1c6251bdd690b392ca5af3518a08e29e951cab5d92c91f07d3742ecff
                                                                          • Instruction ID: eec53a1989babce1279586b6794dfa60292cba7e8f6a8250d41a27c9209e4e62
                                                                          • Opcode Fuzzy Hash: a95d84c1c6251bdd690b392ca5af3518a08e29e951cab5d92c91f07d3742ecff
                                                                          • Instruction Fuzzy Hash: D3B19DB0E116289FDB64DFA9D9847CDBBF1BF48308F5086E9D148A7205EB309A95CF44
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 000D9530, Relevance: 1.2, Instructions: 1211COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.239222079.00000000000D2000.00000002.00020000.sdmp, Offset: 000D0000, based on PE: true
                                                                          • Associated: 00000000.00000002.239208640.00000000000D0000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.239292603.000000000016A000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dcae3cf9366560d65b4bbc135eddf236c81cb9bbefcbb16acf5649129aaa07e6
                                                                          • Instruction ID: e88a83a2011b5d2dfa0fa9ac8b11be216b5df0c922dd60ffc3bccdea4e413af5
                                                                          • Opcode Fuzzy Hash: dcae3cf9366560d65b4bbc135eddf236c81cb9bbefcbb16acf5649129aaa07e6
                                                                          • Instruction Fuzzy Hash: 0D92236240EBC15FCB079B782DB12D17FB29D6722470E49C7C4C08F5A3E4196A9BE762
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D10D80, Relevance: .9, Instructions: 923COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8f94dcb263564c2a7483c1ed042ba42b9f2f06e7f5e88c2b6a23f2498db46775
                                                                          • Instruction ID: 467c4b805128e0433aeca212279f5ba6a7ccd3f5a163786219246de1ded3f48e
                                                                          • Opcode Fuzzy Hash: 8f94dcb263564c2a7483c1ed042ba42b9f2f06e7f5e88c2b6a23f2498db46775
                                                                          • Instruction Fuzzy Hash: 72824B30A04209AFDB54DFA8E884AAEB7F2FF49314F158559E645DF2A1C770ED41CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090E5A0, Relevance: .3, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47291e9c71e4a1ae19a5e56034d721ea258651876f06ab85b327ac3de70eb350
                                                                          • Instruction ID: 4e3b49a27be0009e3c0b34d6c4cf235261934b52686cb4662da6244f742f2729
                                                                          • Opcode Fuzzy Hash: 47291e9c71e4a1ae19a5e56034d721ea258651876f06ab85b327ac3de70eb350
                                                                          • Instruction Fuzzy Hash: 5712C5F1511F66CBE312EF65EC981893BB1B745328F98430AD2612BAF5D7B8114ACF48
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090C0D4, Relevance: .3, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 09b526aeea5c371221e69fd46aab908735bcf99950eaf05000684ed14a07c87d
                                                                          • Instruction ID: 983b329d90d15bc0a9e56e8dff4ac0698e19b62f9054d65aa01ab667fd4f3c51
                                                                          • Opcode Fuzzy Hash: 09b526aeea5c371221e69fd46aab908735bcf99950eaf05000684ed14a07c87d
                                                                          • Instruction Fuzzy Hash: B0A16D32E0061ACFCF15DFA5C8445DEBBB6FFC5300B15816AE905BB2A1EB31A905CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0090E591, Relevance: .2, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.240003790.0000000000900000.00000040.00000001.sdmp, Offset: 00900000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 418bdebc474b48046d9561af7c0867ae393b281301b142e7635f29ba1e743174
                                                                          • Instruction ID: 06abbebb12799aab6a452ee325ebf995ffdc42b4ed65caa0f8bdd219c8c80d9d
                                                                          • Opcode Fuzzy Hash: 418bdebc474b48046d9561af7c0867ae393b281301b142e7635f29ba1e743174
                                                                          • Instruction Fuzzy Hash: 90C14EB1911B55CBE712EF65EC981893BB1FB85328F58430AD1616FAF0D7B8144ACF48
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D12B30, Relevance: .2, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 614d2f4b231d6ee625828d2665e94882af2f75bf900a28707f1681faa2b2f76b
                                                                          • Instruction ID: f5a7217bb158267528a541f21a79b7504ca84543c4fa91ff43893aa84168acf4
                                                                          • Opcode Fuzzy Hash: 614d2f4b231d6ee625828d2665e94882af2f75bf900a28707f1681faa2b2f76b
                                                                          • Instruction Fuzzy Hash: FB516E70A192098FD784DF6AE89069EBFF6EF89304F00C539D104AF3A4EB746D058B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 06D12B40, Relevance: .1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.253666089.0000000006D10000.00000040.00000001.sdmp, Offset: 06D10000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d454decd15ee7ede11fe0abd40a1cdb26934d950494f9397768b5c373c4162cd
                                                                          • Instruction ID: 21f7e5860ef0a0107cda21aa4a0b959154fb475776aa9c3707663331343986eb
                                                                          • Opcode Fuzzy Hash: d454decd15ee7ede11fe0abd40a1cdb26934d950494f9397768b5c373c4162cd
                                                                          • Instruction Fuzzy Hash: EB514F709192098FD784DF7AE89069EBFF2EB89304F04C539D104AF3A4EB746D458B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: SWcNyi2YBj.exe PID: 4912 Parent PID: 3468 SWcNyi2YBj.exeCOMMON

                                                                          Executed Functions

                                                                          Function 01281728, Relevance: 2.9, Strings: 2, Instructions: 444COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (/l$,
                                                                          • API String ID: 0-1030996025
                                                                          • Opcode ID: 5d3cd9b9354e5942f96139aa5495a0bd7f6e0bf0d1c28aac2198464430965358
                                                                          • Instruction ID: 336dde2f0f118bc724e2124fa2954c4f90368c7c93111f24e30b5d711e823113
                                                                          • Opcode Fuzzy Hash: 5d3cd9b9354e5942f96139aa5495a0bd7f6e0bf0d1c28aac2198464430965358
                                                                          • Instruction Fuzzy Hash: 0202CE347112018FD724EB68D880B6AB7E2AF95308F158A29E9159F7E5CF74EC46CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012812C5, Relevance: .5, Instructions: 534COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: be37bde7b9561e241dd891afaa82be5db0e976dea89c3686f00ba567ed2156d2
                                                                          • Instruction ID: 6ded003fca348bbc943542bee4f4583039bfd9cc9c0f54d3d720c0f922c1ce2f
                                                                          • Opcode Fuzzy Hash: be37bde7b9561e241dd891afaa82be5db0e976dea89c3686f00ba567ed2156d2
                                                                          • Instruction Fuzzy Hash: C701F5746172528FDB16FBA9D05076E7FB8AF15200B0800ADC549D73C6CB346822CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280AB8, Relevance: .2, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2c428804ffd6185183040fcf6e8ab98ef51d303d806e989ee882de27f5249e88
                                                                          • Instruction ID: f02879c18a27fd1d0c4230a09292507d7852ba61e07db488caf59728b46be1ee
                                                                          • Opcode Fuzzy Hash: 2c428804ffd6185183040fcf6e8ab98ef51d303d806e989ee882de27f5249e88
                                                                          • Instruction Fuzzy Hash: 1551BF30B101048FCB54DF68D455AAEBBF6EF89704F2580A9E506EB3A2CB74DC058B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280920, Relevance: .1, Instructions: 134COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cca4fcfabdd402ba76b013a8a0a1d253db26a2e617305b4a9a119a29f5258778
                                                                          • Instruction ID: 1fdac52c8f3d7b45bc4ff35b9a0a29d6094246345bea850cb53f701f91a79643
                                                                          • Opcode Fuzzy Hash: cca4fcfabdd402ba76b013a8a0a1d253db26a2e617305b4a9a119a29f5258778
                                                                          • Instruction Fuzzy Hash: 4041E4307042048FD715DB78C854AAEBBF6EF89304F1985AAE105DB3A2CB75DC09CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012806A0, Relevance: .1, Instructions: 118COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4396cfa7e760d332f5f6474e4ec311be79c84aef5f2a639e9bd7da63294ada84
                                                                          • Instruction ID: 9fdcc7ca338974d8493a1d229550541bc1d7112da36804ce43ae529c0939ffa7
                                                                          • Opcode Fuzzy Hash: 4396cfa7e760d332f5f6474e4ec311be79c84aef5f2a639e9bd7da63294ada84
                                                                          • Instruction Fuzzy Hash: B4511A3A605205CFC767FF38E8848497372FBA53093508A29D4098B328EB39AD46CF80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280DD0, Relevance: .1, Instructions: 114COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b66b31a8c642fafad810167e66cc976168c152f3e4283d19dcc568983f05df3
                                                                          • Instruction ID: 7ca3c2a16216c7175e92ce079e8371c62367c9eaf3147beb8ba6397783d1ccda
                                                                          • Opcode Fuzzy Hash: 0b66b31a8c642fafad810167e66cc976168c152f3e4283d19dcc568983f05df3
                                                                          • Instruction Fuzzy Hash: 6741C370E051096FCB14EBB8C4416AEBBF6EF85304F14C669E409D7785DB349D458BA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280910, Relevance: .1, Instructions: 93COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d2c613b1970d5679d2bd2f140d962a27b73c7b7fb70e2b33c272fb4d232b7724
                                                                          • Instruction ID: a1f5df0c3f601804fdc562eff262fd2ca11b9d17c8896d305490ba0cead384f3
                                                                          • Opcode Fuzzy Hash: d2c613b1970d5679d2bd2f140d962a27b73c7b7fb70e2b33c272fb4d232b7724
                                                                          • Instruction Fuzzy Hash: FF31C430A142059FDB14DF68C494BAEBFF2EF89304F1985A9E105AB7A1CB74DC09CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280F3B, Relevance: .1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ffbdcb603e4d057cd514dcefadd3943bc845f90b8e4d52c223a15f284f42fb6c
                                                                          • Instruction ID: 442c265fc441ba3a3a7cc3fd2deeac6e0248c602078b1e8ab3b5a41ac36df5f0
                                                                          • Opcode Fuzzy Hash: ffbdcb603e4d057cd514dcefadd3943bc845f90b8e4d52c223a15f284f42fb6c
                                                                          • Instruction Fuzzy Hash: 5A319134F052158FCB54EB78C851A6EBBF2AF89208B25446DE545DB7A1EF30DD05C790
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280C2E, Relevance: .1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e60362214fb3fa6c354b2dff835a6c751d2cdd9c990a73e953e569eb088f5236
                                                                          • Instruction ID: 99868c4a12444478b61da16dbba794e27e297b886ecf52b6f9c471eb267dd763
                                                                          • Opcode Fuzzy Hash: e60362214fb3fa6c354b2dff835a6c751d2cdd9c990a73e953e569eb088f5236
                                                                          • Instruction Fuzzy Hash: 2C216834B111088FD714DBA8C995BADBBE6EF89710F248168F906DB7A1CA70DC448B41
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00FAD3B4, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.480983335.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: be003ab02ac7a69a61ed61d8abe629f34de6206a94ef2259ae7041128c4849b5
                                                                          • Instruction ID: 94344b9bf4a30bccd5720b02b55c0501685d3efb5b51ee7589e7a00869be4057
                                                                          • Opcode Fuzzy Hash: be003ab02ac7a69a61ed61d8abe629f34de6206a94ef2259ae7041128c4849b5
                                                                          • Instruction Fuzzy Hash: A82125F2504344DFDB01CF14D9C0B26BB65FB88324F24C569EC0A4BA46C336E856E7A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00FAD4A0, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.480983335.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cdc841aebf8967b9115c392f3cf24a9404ce81c61ee3ec9c4faaad21b4d8fd49
                                                                          • Instruction ID: c3cabbb927e2f86494399edea9182607b0e4a8c9c0716e6a0806fef6a64ffdf2
                                                                          • Opcode Fuzzy Hash: cdc841aebf8967b9115c392f3cf24a9404ce81c61ee3ec9c4faaad21b4d8fd49
                                                                          • Instruction Fuzzy Hash: 54213AF2904244DFDB05CF14D9C0B26BF65FB89328F28C569E9060B646C336D855E7A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280598, Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9a35e758dc94e94af270e547e921e0f4b6ef7ba0e225aa19809eb79abe21884a
                                                                          • Instruction ID: d39b2600e6626a5033058ad7b561bdb86cb63a1014e9df684515798afba343b4
                                                                          • Opcode Fuzzy Hash: 9a35e758dc94e94af270e547e921e0f4b6ef7ba0e225aa19809eb79abe21884a
                                                                          • Instruction Fuzzy Hash: A021D6317362678FEB69BB78988573E3BA4AF94749B24013CF607C22D1DB688408DF55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012805A8, Relevance: .1, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e827bcedd8e1fd7de21f813bf1e1447069f080b4257aac965c7b74cc0df183a
                                                                          • Instruction ID: cda8516b893c3524b5517bde3f90ec7a8c06607563733195457de3fb05a489f7
                                                                          • Opcode Fuzzy Hash: 0e827bcedd8e1fd7de21f813bf1e1447069f080b4257aac965c7b74cc0df183a
                                                                          • Instruction Fuzzy Hash: 6D2198307362278FDB68BB79A94873E3BB46F94649724052CFA06C16C1DF7884089E65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00FAD49B, Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.480983335.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                                                          • Instruction ID: 522df4974703c426096ef7131e215dd3d0f0ad26e5c0df4cbcf3c0b14163936b
                                                                          • Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                                                          • Instruction Fuzzy Hash: 0011D3B6804280CFCF12CF14D5C4B56BF71FB85324F28C6A9D9050B656C336D85ADBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00FAD3AF, Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.480983335.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                                                          • Instruction ID: 06346066e80a2fa90a6da513669f2c3fdd0d4155372c5d09000f95a73627b785
                                                                          • Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                                                          • Instruction Fuzzy Hash: 3311D6B6804280CFCB11CF10D5C4B16BF71FB99324F24C5A9DC450B656C336E856DB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01281031, Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2564f8d48c3c079d236e3668e821e29cff480817be497d0f167ef534eb04902c
                                                                          • Instruction ID: 4a5366abf5ce463fc17cbce8fc7022fd082829f2547f9afd6e48b2828d30525c
                                                                          • Opcode Fuzzy Hash: 2564f8d48c3c079d236e3668e821e29cff480817be497d0f167ef534eb04902c
                                                                          • Instruction Fuzzy Hash: 16110431B04204CFCB64EBB8D8559AEBBF5EF98204315047CC50ADB790DB35D816CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01281040, Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c167d845dc0c5cb6a8a40ea6783c941532eb81baaf75714f0029807034db4ca1
                                                                          • Instruction ID: c558bd2f360cac67fd42d8fca0cc9729339a413039eed7864cf76405c1045252
                                                                          • Opcode Fuzzy Hash: c167d845dc0c5cb6a8a40ea6783c941532eb81baaf75714f0029807034db4ca1
                                                                          • Instruction Fuzzy Hash: CC11C031F04204CFCB64EBB8D8459AE77F6AF982047214479C50ADB790EB35DC16CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280A3D, Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 17d1e19c60d311f95eb6c513e619dc1f9864fbc30c1e4eae9eaa0440f494c00a
                                                                          • Instruction ID: 61531095383ed9d0e0612907dbb1351596083e4effa5e9cd0afb12ad7e325101
                                                                          • Opcode Fuzzy Hash: 17d1e19c60d311f95eb6c513e619dc1f9864fbc30c1e4eae9eaa0440f494c00a
                                                                          • Instruction Fuzzy Hash: CC01862570D2900FC35BA379586456E7FA68FCB15431945FFD149CF7A3CE158C068762
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280A80, Relevance: .0, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 824cabdede20f5f6f253bda8e2853b5769919bc7f282acd0ef8e948dc4d3e5cb
                                                                          • Instruction ID: cd1e3729b38de5cc3ea5ed13174328b62940886408e773a2d6691d9ae5940fc0
                                                                          • Opcode Fuzzy Hash: 824cabdede20f5f6f253bda8e2853b5769919bc7f282acd0ef8e948dc4d3e5cb
                                                                          • Instruction Fuzzy Hash: 26E0C2323041045F8354A6BEA88489FB7EEEFCC5A9324407EE10AC7721CE75CC018B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 01280673, Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 04ccd45784afa3a84f6efa1657d4898e072bc252f7de2f2182ddc98febb50758
                                                                          • Instruction ID: 4575da44d2cad765bb1d82ca881ca47fd45c00e6f18d377276a1639cbb8dd46b
                                                                          • Opcode Fuzzy Hash: 04ccd45784afa3a84f6efa1657d4898e072bc252f7de2f2182ddc98febb50758
                                                                          • Instruction Fuzzy Hash: 36C0122083B2AACEDB19B7A4998A7283A206B9020AF200254B106849E28E7808089A06
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0128068F, Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000007.00000002.481700330.0000000001280000.00000040.00000001.sdmp, Offset: 01280000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 917dc73698d3627b1bc0816a096a8c7b8791cc7b06c6bd06a0eb63c330d9a2e0
                                                                          • Instruction ID: ddb25f332fc6f61b62f9207be02267300bcc731bcaae2af1867bffd3f58485f1
                                                                          • Opcode Fuzzy Hash: 917dc73698d3627b1bc0816a096a8c7b8791cc7b06c6bd06a0eb63c330d9a2e0
                                                                          • Instruction Fuzzy Hash: F5C0122483B26ACED71977A4998A7283A206F9030AF200254B50688AE28E7808085E16
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions