Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1Edyk9e6oL

Overview

General Information

Sample Name:1Edyk9e6oL (renamed file extension from none to exe)
Analysis ID:528554
MD5:6a8ebc295dbde6256299d4236732cbdc
SHA1:6975e7c55935f838401f9682480ea3b6749f7307
SHA256:04595c3111276f02b6dc2ece0778cb5829c086484aeafa24e0aac3d8479deb4b
Tags:BABADEDA-CrypterexesignedUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
PE file has a writeable .text section
Writes or reads registry keys via WMI
Obfuscated command line found
Writes registry values via WMI
Potentially malicious time measurement code found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1Edyk9e6oL.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\1Edyk9e6oL.exe" MD5: 6A8EBC295DBDE6256299D4236732CBDC)
    • 1Edyk9e6oL.tmp (PID: 5624 cmdline: "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" MD5: 760A37743734493F9932E546677C2EF2)
      • 1Edyk9e6oL.exe (PID: 5528 cmdline: "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT MD5: 6A8EBC295DBDE6256299D4236732CBDC)
        • 1Edyk9e6oL.tmp (PID: 6688 cmdline: "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT MD5: 760A37743734493F9932E546677C2EF2)
          • restsharp.exe (PID: 6728 cmdline: "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe" MD5: A445770520FEDB0462439C43D6D898C6)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      Process Memory Space: restsharp.exe PID: 6728JoeSecurity_UrsnifYara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        19.2.restsharp.exe.35294a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          19.2.restsharp.exe.1280000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            19.2.restsharp.exe.35294a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 19.2.restsharp.exe.35294a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 1Edyk9e6oL.exeVirustotal: Detection: 44%Perma Link
              Source: 1Edyk9e6oL.exeMetadefender: Detection: 17%Perma Link
              Source: 1Edyk9e6oL.exeReversingLabs: Detection: 35%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 1Edyk9e6oL.exeAvira: detected
              Source: 19.2.restsharp.exe.100000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen8
              Source: 1Edyk9e6oL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
              Source: 1Edyk9e6oL.exeStatic PE information: certificate valid
              Source: 1Edyk9e6oL.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdbAu source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
              Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,1_2_0040AEF4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,1_2_0040A928
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,6_2_0060C2B0
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,6_2_0040E6A0
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,6_2_0040E0D4
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,6_2_006B8DE4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040AEF4 FindFirstFileW,FindClose,9_2_0040AEF4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,9_2_0040A928
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060C2B0 FindFirstFileW,GetLastError,10_2_0060C2B0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E6A0 FindFirstFileW,FindClose,10_2_0040E6A0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,10_2_0040E0D4
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,10_2_006B8DE4
              Source: unknownDNS traffic detected: query: get.updates.avast.cn replaycode: Name error (3)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://0xeb.wordpress.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://alioth.debian.org/forum/?group_id=31080
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blag.oxff.net/#2sapnfkthvpzjscp3xwq)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blag.oxff.net/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.poxiao.me/p/wow64-process-inject-dll-into-win64-process/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=1934#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=1943#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=30002#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=31582#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=31630#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=33151#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=33194#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=38440#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=38497#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=41470#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=41474#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=424#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44368#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44440#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44560#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47364#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47365#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47373#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47375#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47392#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47406#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47408#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47413#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47431#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47645#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47646#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47652#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47659#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47660#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47661#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47662#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47663#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47722#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47723#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47754#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47756#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47957#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47964#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47969#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47991#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47992#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47993#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48008#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48030#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48031#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48042#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48072#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48075#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48079#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48088#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=50#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51969#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51972#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51989#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51992#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=54#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=56#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=60242#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=60901#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62454#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62459#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62466#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62478#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64488#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64489#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64490#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64491#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64843#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64844#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64845#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64853#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65012#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65050#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65057#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65075#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65081#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=163)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=319)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=80)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=1730)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=41)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=47)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=679)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=859)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yes
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://code.google.com/p/corkami/source/browse/trunk/misc/MakePE/examples/asm/usermode_test.asm?spec
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://code.google.com/p/rewolf-wow64ext/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://corkami.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://creativecommons.org/ns#
              Source: is-EAQ8J.tmp.10.drString found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://dirty-joe.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://gdtr.wordpress.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://github.com/rwfpl)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://github.com/rwfpl/rewolf-wow64ext)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://gynvael.coldwind.pl/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://j00ru.vexillium.org/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://lync.in/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://omeg.pl/blog)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/8ZQa2heh)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://rewolf.pl/stuff/x86tox64.zip)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFL
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sdlpango.sourceforge.net
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://security.szurek.pl/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://tamaroth.eu/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://terminus.rewolf.pl/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/extra/matrix.html
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.alioth.debian.org
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.net/~jdandr2)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://waleedassar.blogspot.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://wordpress.org/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.ffri.jp/assets/files/research/research_papers/psj10-murakami_EN.pdf)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.galuzzi.it.
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.iisc.ernet.in
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.inkscape.org/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/download-1.2.php
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_image
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/projects/SDL_image/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.opensc.ws/c-c-help/19270-direct-code-injection-x32-x64-2.html#post176735)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.tux4kids.com.
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://blog.rewolf.pl/blog/?feed=rss2)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://dev.krzaq.cc/)
              Source: restsharp.exe, 00000013.00000002.554163309.00000000030CB000.00000004.00000010.sdmpString found in binary or memory: https://get.u
              Source: restsharp.exe, 00000013.00000002.553908667.0000000001524000.00000004.00000020.sdmp, restsharp.exe, 00000013.00000002.553930083.0000000001536000.00000004.00000020.sdmpString found in binary or memory: https://get.updates.avast.cn/
              Source: restsharp.exe, 00000013.00000002.553890287.0000000001510000.00000004.00000020.sdmpString found in binary or memory: https://get.updates.avast.cn/sreamble/byn8hRGg_2/B67AeijKX4tuEr1sn/dvpKbG1_2FYf/rPVCgZrAe_2/FPqeoAPF
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rwfpl)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rwfpl/followers)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rwfpl/rewolf-wow64ext)
              Source: 1Edyk9e6oL.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
              Source: 1Edyk9e6oL.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://labs.nettitude.com/dll-injection-part-two/)
              Source: is-EAQ8J.tmp.10.drString found in binary or memory: https://openclipart.org/detail/188214/eraser-by-crisg-188214U2
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://pwningmad.wordpress.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/follow?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&r
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/user?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&ref
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://vul.anbai.com/43355.html)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://www.corelan.be/index.php/2011/11/05/wow64-egghunter/)
              Source: 1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://www.innosetup.com/
              Source: 1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://www.remobjects.com/ps
              Source: is-SV4NE.tmp.10.drString found in binary or memory: https://www.tupitube.com
              Source: unknownDNS traffic detected: queries for: get.updates.avast.cn

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
              Source: restsharp.exe, 00000013.00000002.553577591.000000000149A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY

              System Summary:

              barindex
              PE file has a writeable .text sectionShow sources
              Source: is-DL2UG.tmp.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Writes or reads registry keys via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: 1Edyk9e6oL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004AF110
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_0060F6D8
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,9_2_004AF110
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,10_2_0060F6D8
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004323DC1_2_004323DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004255DC1_2_004255DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040E9C41_2_0040E9C4
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006B786C6_2_006B786C
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040C9386_2_0040C938
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004323DC9_2_004323DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004255DC9_2_004255DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040E9C49_2_0040E9C4
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006B786C10_2_006B786C
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040C93810_2_0040C938
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E384A0019_2_6E384A00
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38160019_2_6E381600
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E384EA019_2_6E384EA0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38CADD19_2_6E38CADD
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3826D019_2_6E3826D0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E385F7019_2_6E385F70
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E387F6919_2_6E387F69
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3877A019_2_6E3877A0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3853F019_2_6E3853F0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E387BD019_2_6E387BD0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38701719_2_6E387017
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E386C7019_2_6E386C70
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38505019_2_6E385050
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38244019_2_6E382440
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3824AC19_2_6E3824AC
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381D2019_2_6E381D20
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E384D7019_2_6E384D70
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38995F19_2_6E38995F
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3825A019_2_6E3825A0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38598019_2_6E385980
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38A18519_2_6E38A185
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3865F019_2_6E3865F0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 0060CD28 appears 31 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5C7C appears 50 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5F60 appears 62 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 005DE888 appears 40 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 006163B4 appears 38 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 00616130 appears 39 times
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: String function: 00427848 appears 42 times
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: String function: 0040CC60 appears 34 times
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: String function: 0040873C appears 36 times
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5C7C appears 50 times
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5F60 appears 62 times
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: String function: 005DE888 appears 40 times
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101C90 GetProcAddress,NtCreateSection,memset,19_2_00101C90
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101703 NtMapViewOfSection,19_2_00101703
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_001019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,19_2_001019A0
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: 1Edyk9e6oL.exe, 00000001.00000003.292668523.00000000023E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000001.00000000.283304261.00000000004DC000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000001.00000003.284182308.000000000270C000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000001.00000003.284869590.000000007FE68000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000003.291384347.00000000026FC000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000003.426104453.00000000023D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000000.290559398.00000000004DC000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000003.293025032.000000007FE68000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exeBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: is-DL2UG.tmp.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeSection loaded: libtfs2.0.dllJump to behavior
              Source: is-P09CL.tmp.10.drStatic PE information: Number of sections : 12 > 10
              Source: is-E4UP5.tmp.10.drStatic PE information: Number of sections : 13 > 10
              Source: is-9HHB4.tmp.10.drStatic PE information: Number of sections : 13 > 10
              Source: is-BB30O.tmp.10.drStatic PE information: Number of sections : 13 > 10
              Source: is-K16NE.tmp.10.drStatic PE information: Number of sections : 14 > 10
              Source: 1Edyk9e6oL.exeVirustotal: Detection: 44%
              Source: 1Edyk9e6oL.exeMetadefender: Detection: 17%
              Source: 1Edyk9e6oL.exeReversingLabs: Detection: 35%
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile read: C:\Users\user\Desktop\1Edyk9e6oL.exeJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENTJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENTJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004AF110
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_0060F6D8
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,9_2_004AF110
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,10_2_0060F6D8
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmpJump to behavior
              Source: classification engineClassification label: mal54.troj.evad.winEXE@9/305@1/0
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0062CFB8 GetVersion,CoCreateInstance,6_2_0062CFB8
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0041A4DC GetDiskFreeSpaceW,1_2_0041A4DC
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,1_2_004AF9F0
              Source: 1Edyk9e6oL.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
              Source: 1Edyk9e6oL.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
              Source: 1Edyk9e6oL.exeString found in binary or memory: /LOADINF="filename"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpWindow found: window name: TMainFormJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: 1Edyk9e6oL.exeStatic file information: File size 5210880 > 1048576
              Source: 1Edyk9e6oL.exeStatic PE information: certificate valid
              Source: 1Edyk9e6oL.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdbAu source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
              Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeUnpacked PE file: 19.2.restsharp.exe.100000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
              Obfuscated command line foundShow sources
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" Jump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENTJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B5000 push 004B50DEh; ret 1_2_004B50D6
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B5980 push 004B5A48h; ret 1_2_004B5A40
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx1_2_00458005
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx1_2_0049B03D
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx1_2_004A00F9
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx1_2_00458089
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B1084 push 004B10ECh; ret 1_2_004B10E4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx1_2_004A1095
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx1_2_0041A0B8
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004270BC push 00427104h; ret 1_2_004270FC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx1_2_0045810D
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx1_2_004321C9
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx1_2_004A21D9
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx1_2_0049E1B9
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049A260 push 0049A378h; ret 1_2_0049A370
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx1_2_0045526C
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax1_2_004252D9
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004592FC push ecx; mov dword ptr [esp], edx1_2_004592FD
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx1_2_0045B285
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00430358 push ecx; mov dword ptr [esp], eax1_2_00430359
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00430370 push ecx; mov dword ptr [esp], eax1_2_00430371
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx1_2_00459398
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx1_2_004A1429
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx1_2_0049B425
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx1_2_004A24D9
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004224F0 push 004225F4h; ret 1_2_004225EC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax1_2_004304F1
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00499490 push ecx; mov dword ptr [esp], edx1_2_00499493
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458564 push ecx; mov dword ptr [esp], edx1_2_00458565
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458574 push ecx; mov dword ptr [esp], edx1_2_00458575
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx1_2_00457578
              Source: 1Edyk9e6oL.exeStatic PE information: section name: .didata
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: section name: .didata
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: section name: .didata
              Source: is-K16NE.tmp.10.drStatic PE information: section name: /4
              Source: is-K16NE.tmp.10.drStatic PE information: section name: .xdata
              Source: is-K16NE.tmp.10.drStatic PE information: section name: /14
              Source: is-E4UP5.tmp.10.drStatic PE information: section name: /4
              Source: is-E4UP5.tmp.10.drStatic PE information: section name: .xdata
              Source: is-E4UP5.tmp.10.drStatic PE information: section name: /14
              Source: is-9HHB4.tmp.10.drStatic PE information: section name: /4
              Source: is-9HHB4.tmp.10.drStatic PE information: section name: .xdata
              Source: is-9HHB4.tmp.10.drStatic PE information: section name: /14
              Source: is-P09CL.tmp.10.drStatic PE information: section name: .xdata
              Source: is-BB30O.tmp.10.drStatic PE information: section name: /4
              Source: is-BB30O.tmp.10.drStatic PE information: section name: .xdata
              Source: is-BB30O.tmp.10.drStatic PE information: section name: /14
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101264 LoadLibraryA,GetProcAddress,19_2_00101264
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x331370
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: real checksum: 0x0 should be: 0x331370
              Source: is-T5J2K.tmp.10.drStatic PE information: real checksum: 0x234a01 should be: 0x24a5f6
              Source: is-DL2UG.tmp.10.drStatic PE information: real checksum: 0x690dcc should be: 0x69934a
              Source: is-K16NE.tmp.10.drStatic PE information: 0xA5E8A5E0 [Sat Mar 16 06:57:36 2058 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 6.89492529939
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmpJump to dropped file
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\tsharkdecode.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-DL2UG.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaad2.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9UtilityJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9Utility\SharpDX Direct3D9Utility.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,6_2_005C90B4
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,6_2_006A68B0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,10_2_005C90B4
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,10_2_006A68B0
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe TID: 6428Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe TID: 4596Thread sleep time: -90000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\tsharkdecode.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381207 rdtsc 19_2_6E381207
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,1_2_004AF91C
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,1_2_0040AEF4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,1_2_0040A928
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,6_2_0060C2B0
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,6_2_0040E6A0
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,6_2_0040E0D4
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,6_2_006B8DE4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040AEF4 FindFirstFileW,FindClose,9_2_0040AEF4
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,9_2_0040A928
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060C2B0 FindFirstFileW,GetLastError,10_2_0060C2B0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E6A0 FindFirstFileW,FindClose,10_2_0040E6A0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,10_2_0040E0D4
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,10_2_006B8DE4
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeThread delayed: delay time: 39000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeThread delayed: delay time: 90000Jump to behavior
              Source: restsharp.exe, 00000013.00000002.553869733.0000000001502000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

              Anti Debugging:

              barindex
              Potentially malicious time measurement code foundShow sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3813D019_2_6E3813D0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38144019_2_6E381440
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41C4CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_6E41C4CB
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101264 LoadLibraryA,GetProcAddress,19_2_00101264
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381207 rdtsc 19_2_6E381207
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41FF01 mov eax, dword ptr fs:[00000030h]19_2_6E41FF01
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E42E7EF mov eax, dword ptr fs:[00000030h]19_2_6E42E7EF
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E42E877 mov eax, dword ptr fs:[00000030h]19_2_6E42E877
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_0053FBEC mov eax, dword ptr fs:[00000030h]19_2_0053FBEC
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41BAA2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_6E41BAA2
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41C4CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_6E41C4CB
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E423D7F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_6E423D7F
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,6_2_006A60E8
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENTJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,6_2_005C8B3C
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,6_2_005C7CE0
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Progmanlock