Source: Process started | Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SWcNyi2YBj.exe' , ParentImage: C:\Users\user\Desktop\SWcNyi2YBj.exe, ParentProcessId: 3468, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mWSqBKhLOazUTy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3DE4.tmp', ProcessId: 3412 |
Source: C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exe | ReversingLabs: Detection: 23% |
Source: SWcNyi2YBj.exe | ReversingLabs: Detection: 26% |
Source: C:\Users\user\AppData\Roaming\mWSqBKhLOazUTy.exe | Joe Sandbox ML: detected |
Source: 7.2.SWcNyi2YBj.exe.400000.0.unpack | Avira: Label: TR/Dropper.Gen |
Source: SWcNyi2YBj.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: SWcNyi2YBj.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h |
Source: unknown | DNS query: name: newtechublil.ddns.net |
Source: global traffic | TCP traffic: 192.168.2.3:49717 -> 79.134.225.103:8675 |
Source: Joe Sandbox View | IP Address: 79.134.225.103 79.134.225.103 |
Source: Joe Sandbox View | ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH |
Source: unknown | DNS traffic detected: queries for: newtechublil.ddns.net |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: SWcNyi2YBj.exe, 00000000.00000002.245240426.00000000054A0000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp | String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: Yara match | File source: 00000007.00000002.479348490.0000000000402000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: SWcNyi2YBj.exe PID: 3468, type: MEMORY |
Source: Yara match | File source: Process Memory Space: SWcNyi2YBj.exe PID: 4912, type: MEMORY |
Source: Yara match | File source: 7.2.SWcNyi2YBj.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.SWcNyi2YBj.exe.26366d4.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.SWcNyi2YBj.exe.26366d4.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.SWcNyi2YBj.exe.25230cc.2.raw.unpack, type: UNPACKEDPE |
Source: SWcNyi2YBj.exe, frmlogin.cs | Long String: Length: 13656 |
Source: mWSqBKhLOazUTy.exe.0.dr, frmlogin.cs | Long String: Length: 13656 |
Source: 0.0.SWcNyi2YBj.exe.d0000.0.unpack, frmlogin.cs | Long String: Length: 13656 |
Source: 0.2.SWcNyi2YBj.exe.d0000.0.unpack, frmlogin.cs | Long String: Length: 13656 |
Source: 6.0.SWcNyi2YBj.exe.230000.0.unpack, frmlogin.cs | Long String: Length: 13656 |
Source: 6.2.SWcNyi2YBj.exe.230000.0.unpack, frmlogin.cs | Long String: Length: 13656 |
Source: 7.2.SWcNyi2YBj.exe.830000.1.unpack, frmlogin.cs | Long String: Length: 13656 |
Source: 7.0.SWcNyi2YBj.exe.830000.0.unpack, frmlogin.cs | Long String: Length: 13656 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_000D9530 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_0090C0D4 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_0090E591 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_0090E5A0 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D1C7A6 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D10040 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D14489 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D10D80 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D1DBB0 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D12B40 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 0_2_06D12B30 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 6_2_00239530 |
Source: C:\Users\user\Desktop\SWcNyi2YBj.exe | Code function: 7_2_00839530 |
Source: SWcNyi2YBj.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: mWSqBKhLOazUTy.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: SWcNyi2YBj.exe, 00000000.00000002.253881383.0000000007330000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.239292603.000000000016A000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.254006511.0000000007430000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.254006511.0000000007430000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.240619537.00000000034C9000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.253416018.0000000006AA0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.253815176.0000000007080000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameAsyncState.dllF vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000000.00000002.240378798.00000000024C1000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameStub.exe" vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000006.00000000.236554671.00000000002CA000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000007.00000002.479377550.000000000040E000.00000040.00000001.sdmp | Binary or memory string: OriginalFilenameStub.exe" vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000007.00000002.488056116.00000000051A0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000007.00000000.237603155.00000000008CA000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000007.00000002.481116243.0000000000FCA000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe, 00000007.00000002.488189504.0000000005570000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe | Binary or memory string: OriginalFilenameSHA384.exe4 vs SWcNyi2YBj.exe |
Source: SWcNyi2YBj.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: SWcNyi2YBj.exe, frmlogin.cs | Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvt |