Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.84784.3654.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Jaik.84784.3654.exe
Analysis ID: 662065
MD5: 74cd3c3d32dcf5029d1bc66347f44af7
SHA1: d7ec9719a6e5ea0b386ef590b1b74c317e597ff8
SHA256: cb943da125fde19e41c965a9f260caf79a6fca98c89b83bde609b843be0da377
Infos:

Detection

AsyncRAT, DcRat
Score: 62
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Self deletion via cmd or bat file
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Virustotal: Detection: 58% Perma Link
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe ReversingLabs: Detection: 69%
Antivirus detection for dropped file
Source: C:\Users\user\AppVerif\DllHelper.exe Avira: detection malicious, Label: TR/Dropper.Gen7
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Joe Sandbox ML: detected
Source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "137.74.157.86", "Ports": "4449", "Version": " 5.0.5", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "AdlbMZFI5HbWg0iu5IqX0wSXQQa8QOLS", "Mutex": "ads3", "AntiDetection": "null", "External_config_on_Pastebin": "false", "BDOS": "1", "Startup_Delay": "zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==", "HWID": "null", "Certificate": "MIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPLknDSnzkq9SuHSkPVyOxBFVoX/n/Y/SNOD2TO9vxmiaLG1rfOcnt7KPbQA3CJxOmVjCVDvtURayayaErAu6R280hq1HgF3iL7u8+5R9XY6JvXkaiKj2rYiEVKKWU55xGCztKNQAfUY7prw8li8QJk+J8vzitqKS1zz7G2UcGx1AgMBAAGjMjAwMB0GA1UdDgQWBBSyJslOSHG/21uHIrLBFtFJb3nJHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG/y6mnqPy3k1abtSAqAnm79siuBJ99b4uxdaTRVNIjATBtYUb3stSpQGefhnzNh4YS6w3SvTZk/BwuWyC0MKvHEbQhbk4JyoIcF4s2wzd5/mcTYK/kwPzAGUp+b93Fp38f3TRgFz+fWVZGheqUlWxzMzV1boXz2JX4pGQTypJBM", "ServerSignature": "eKZENGspnXkrDqiaf/g9a4bTxFDTrVNeU3cFp9wRLJ8NWVUlptiRl8ToeqRS9jPunWKEhdxjsDe0H4qXg9I+nnzookw2XZ89OySClh7WkoBOgKjFz5TA3lLa1ua13At2m1fLiobd36+By2SM4DBQNM+wHUj39Fa7aIAF+t1ovLo=", "Group": "false"}
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\pik vevaye\Wapawini\gal\Yim.pdb source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03425906 FindFirstFileExW, 0_2_03425906
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034259BA FindFirstFileExW,FindNextFileW,FindClose, 0_2_034259BA
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A8906 FindFirstFileExW, 24_2_035A8906
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A89BA FindFirstFileExW,FindNextFileW,FindClose, 24_2_035A89BA

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2850454 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) 137.74.157.86:4449 -> 192.168.11.20:49760
Source: Traffic Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 137.74.157.86:4449 -> 192.168.11.20:49760
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Yara detected Generic Downloader
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49760 -> 137.74.157.86:4449
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: unknown TCP traffic detected without corresponding DNS query: 137.74.157.86
Source: InstallUtil.exe, 0000001E.00000003.2663058792.000000000104E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5743741822.0000000001051000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: InstallUtil.exe, 0000001E.00000003.2663058792.000000000104E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5743741822.0000000001051000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: InstallUtil.exe, 0000001E.00000003.2663058792.000000000104E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5743741822.0000000001051000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en$
Source: 77EC63BDA74BD0D0E0426DC8F8008506.30.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: InstallUtil.exe, 0000001E.00000003.2903386434.0000000001085000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2663058792.000000000104E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5744623032.0000000001086000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://s.symcd.com06
Source: InstallUtil.exe, 0000001E.00000002.5754333031.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5747812323.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0.

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2304950340.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292908991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.5733215574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292384259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255355229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2324411113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255974959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2306850553.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2293118725.000000000F112000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2270243732.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 9100, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.2.DllHelper.exe.ac1168.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.3.DllHelper.exe.ac1168.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.3.DllHelper.exe.1551530.2.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.2.DllHelper.exe.1551530.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.2.DllHelper.exe.ac1168.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.3.DllHelper.exe.ac1168.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.3.DllHelper.exe.1551530.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.2.DllHelper.exe.1551530.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CABAF0 0_2_00CABAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA2460 0_2_00CA2460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CAAD10 0_2_00CAAD10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03399210 0_2_03399210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033A4910 0_2_033A4910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03410B40 0_2_03410B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E6B30 0_2_033E6B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FFB30 0_2_033FFB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340A360 0_2_0340A360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033BB310 0_2_033BB310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033D7B00 0_2_033D7B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033A4360 0_2_033A4360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E8B60 0_2_033E8B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03408B20 0_2_03408B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340AB20 0_2_0340AB20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340D320 0_2_0340D320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E7BAD 0_2_032E7BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0339C3B0 0_2_0339C3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F7BB0 0_2_033F7BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03352BA0 0_2_03352BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B93A0 0_2_033B93A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03398390 0_2_03398390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033ED390 0_2_033ED390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340EBF0 0_2_0340EBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F6B80 0_2_033F6B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340C390 0_2_0340C390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333ABE0 0_2_0333ABE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B43E0 0_2_033B43E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EE3E0 0_2_033EE3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E7BE0 0_2_033E7BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03398BD0 0_2_03398BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034143B0 0_2_034143B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03398A00 0_2_03398A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FDA70 0_2_033FDA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033D4A60 0_2_033D4A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E9A60 0_2_033E9A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F1250 0_2_033F1250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03417A30 0_2_03417A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341BAC0 0_2_0341BAC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341F2C0 0_2_0341F2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E5AB0 0_2_033E5AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F02B0 0_2_033F02B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034072D0 0_2_034072D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03406AD0 0_2_03406AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F4AA0 0_2_033F4AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03409AE0 0_2_03409AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03412AE0 0_2_03412AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03339290 0_2_03339290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03400AF0 0_2_03400AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03407A80 0_2_03407A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032F0AE0 0_2_032F0AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03399AE0 0_2_03399AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340B2A0 0_2_0340B2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033D52D0 0_2_033D52D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FEAD0 0_2_033FEAD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03403AB0 0_2_03403AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034132B0 0_2_034132B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03416AB0 0_2_03416AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EBAC0 0_2_033EBAC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B5130 0_2_033B5130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FA930 0_2_033FA930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03413950 0_2_03413950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341C950 0_2_0341C950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B4920 0_2_033B4920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341B900 0_2_0341B900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FB970 0_2_033FB970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341A110 0_2_0341A110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EA950 0_2_033EA950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B5940 0_2_033B5940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EF140 0_2_033EF140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333A1B0 0_2_0333A1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0342A1CC 0_2_0342A1CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340B9D0 0_2_0340B9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E81BD 0_2_032E81BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F99A0 0_2_033F99A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034059E0 0_2_034059E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0339C190 0_2_0339C190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F7990 0_2_033F7990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03398180 0_2_03398180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03419980 0_2_03419980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033399F0 0_2_033399F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033D39E0 0_2_033D39E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033531D0 0_2_033531D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033979D0 0_2_033979D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034029B0 0_2_034029B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033A21C0 0_2_033A21C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EC1C0 0_2_033EC1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E6830 0_2_033E6830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FC020 0_2_033FC020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340D860 0_2_0340D860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F5810 0_2_033F5810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FD010 0_2_033FD010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03398800 0_2_03398800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EC800 0_2_033EC800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E306B 0_2_032E306B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F6870 0_2_033F6870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FC870 0_2_033FC870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03401810 0_2_03401810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333B060 0_2_0333B060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EE860 0_2_033EE860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03419020 0_2_03419020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341B020 0_2_0341B020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03352850 0_2_03352850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033ED040 0_2_033ED040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034118C0 0_2_034118C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034188C0 0_2_034188C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034200C0 0_2_034200C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333A8A0 0_2_0333A8A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F88A0 0_2_033F88A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340F8E0 0_2_0340F8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E7890 0_2_033E7890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FD890 0_2_033FD890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340E880 0_2_0340E880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B40F0 0_2_033B40F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E58F0 0_2_033E58F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03412890 0_2_03412890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0339C8E0 0_2_0339C8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340C8A0 0_2_0340C8A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341A8A0 0_2_0341A8A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EB8C0 0_2_033EB8C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03403740 0_2_03403740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03408740 0_2_03408740
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0334C710 0_2_0334C710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F1F10 0_2_033F1F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FEF10 0_2_033FEF10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E6718 0_2_032E6718
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B9700 0_2_033B9700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03400700 0_2_03400700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FE770 0_2_033FE770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03403F10 0_2_03403F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E4F60 0_2_033E4F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03417F20 0_2_03417F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03417730 0_2_03417730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341D7D0 0_2_0341D7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03338FA0 0_2_03338FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03397FA0 0_2_03397FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033A1F90 0_2_033A1F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F4790 0_2_033F4790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341DFF0 0_2_0341DFF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033977F0 0_2_033977F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EDFF0 0_2_033EDFF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03401F90 0_2_03401F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03410F90 0_2_03410F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03415790 0_2_03415790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EF7E0 0_2_033EF7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FF7E0 0_2_033FF7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033397D0 0_2_033397D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F27D0 0_2_033F27D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034047B0 0_2_034047B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03404FB0 0_2_03404FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03416FB0 0_2_03416FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EFFC0 0_2_033EFFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EC610 0_2_033EC610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340D670 0_2_0340D670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03416670 0_2_03416670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B3E00 0_2_033B3E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032DEE60 0_2_032DEE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03339E60 0_2_03339E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F6E60 0_2_033F6E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034026C0 0_2_034026C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034106C0 0_2_034106C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034116C0 0_2_034116C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034146C0 0_2_034146C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03352EB0 0_2_03352EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E6EAB 0_2_032E6EAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033D4EB0 0_2_033D4EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E8EB0 0_2_033E8EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E6EA0 0_2_033E6EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034096F0 0_2_034096F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340A680 0_2_0340A680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341EE80 0_2_0341EE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03398EF0 0_2_03398EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E5EF0 0_2_033E5EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E86F0 0_2_033E86F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F36F0 0_2_033F36F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03406690 0_2_03406690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033426E0 0_2_033426E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E2EF6 0_2_032E2EF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EAED0 0_2_033EAED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F0ED0 0_2_033F0ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340C6B0 0_2_0340C6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E7EDB 0_2_032E7EDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0339C6C0 0_2_0339C6C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03408550 0_2_03408550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E3D35 0_2_032E3D35
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333B510 0_2_0333B510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033D6510 0_2_033D6510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341C570 0_2_0341C570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03402D00 0_2_03402D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03418D00 0_2_03418D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FFD70 0_2_033FFD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03400D10 0_2_03400D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033A4560 0_2_033A4560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341BD20 0_2_0341BD20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F9550 0_2_033F9550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03405530 0_2_03405530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03405DC0 0_2_03405DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F75B0 0_2_033F75B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333A5A0 0_2_0333A5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F85A0 0_2_033F85A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E7590 0_2_033E7590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F1590 0_2_033F1590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F4590 0_2_033F4590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F0580 0_2_033F0580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340B580 0_2_0340B580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B4DF0 0_2_033B4DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033E95F0 0_2_033E95F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340F5A0 0_2_0340F5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033ED5D0 0_2_033ED5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EB5D0 0_2_033EB5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034075B0 0_2_034075B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034125B0 0_2_034125B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03411C40 0_2_03411C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03415440 0_2_03415440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F5430 0_2_033F5430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03339C20 0_2_03339C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E343D 0_2_032E343D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B5C20 0_2_033B5C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E8C35 0_2_032E8C35
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F2420 0_2_033F2420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F8C20 0_2_033F8C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03413460 0_2_03413460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341FC60 0_2_0341FC60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0334C410 0_2_0334C410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F3410 0_2_033F3410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340E470 0_2_0340E470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341DC70 0_2_0341DC70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EAC70 0_2_033EAC70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FCC70 0_2_033FCC70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03409410 0_2_03409410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0333E460 0_2_0333E460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033EF460 0_2_033EF460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0340FC20 0_2_0340FC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03401C30 0_2_03401C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341ECC0 0_2_0341ECC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033974B0 0_2_033974B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03397CB0 0_2_03397CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E2CA5 0_2_032E2CA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FA4B0 0_2_033FA4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033F9CB0 0_2_033F9CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033B54A0 0_2_033B54A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03339490 0_2_03339490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_033FBC90 0_2_033FBC90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03406CF0 0_2_03406CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0341ACF0 0_2_0341ACF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03404C80 0_2_03404C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03419CA0 0_2_03419CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E04C0 0_2_032E04C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FCBAF0 24_2_00FCBAF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FC2460 24_2_00FC2460
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FCAD10 24_2_00FCAD10
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034C8270 24_2_034C8270
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351C210 24_2_0351C210
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03527910 24_2_03527910
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03593B40 24_2_03593B40
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03527360 24_2_03527360
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356BB60 24_2_0356BB60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358D360 24_2_0358D360
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0353E310 24_2_0353E310
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0355AB00 24_2_0355AB00
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03569B30 24_2_03569B30
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03582B30 24_2_03582B30
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358BB20 24_2_0358BB20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358DB20 24_2_0358DB20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03590320 24_2_03590320
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351BBD0 24_2_0351BBD0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03591BF0 24_2_03591BF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BDBE0 24_2_034BDBE0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035373E0 24_2_035373E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356ABE0 24_2_0356ABE0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035713E0 24_2_035713E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351B390 24_2_0351B390
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03570390 24_2_03570390
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358F390 24_2_0358F390
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03579B80 24_2_03579B80
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351F3B0 24_2_0351F3B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357ABB0 24_2_0357ABB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035973B0 24_2_035973B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346ABAD 24_2_0346ABAD
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034D5BA0 24_2_034D5BA0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0353C3A0 24_2_0353C3A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03574250 24_2_03574250
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03580A70 24_2_03580A70
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03557A60 24_2_03557A60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356CA60 24_2_0356CA60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351BA00 24_2_0351BA00
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359AA30 24_2_0359AA30
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035582D0 24_2_035582D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358A2D0 24_2_0358A2D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03581AD0 24_2_03581AD0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03589AD0 24_2_03589AD0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356EAC0 24_2_0356EAC0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359EAC0 24_2_0359EAC0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A22C0 24_2_035A22C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03473AE0 24_2_03473AE0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03583AF0 24_2_03583AF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351CAE0 24_2_0351CAE0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358CAE0 24_2_0358CAE0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03595AE0 24_2_03595AE0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358AA80 24_2_0358AA80
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BC290 24_2_034BC290
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03568AB0 24_2_03568AB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035732B0 24_2_035732B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03586AB0 24_2_03586AB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035962B0 24_2_035962B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03599AB0 24_2_03599AB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03577AA0 24_2_03577AA0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358E2A0 24_2_0358E2A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356D950 24_2_0356D950
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03596950 24_2_03596950
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359F950 24_2_0359F950
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03538940 24_2_03538940
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03572140 24_2_03572140
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357E970 24_2_0357E970
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359D110 24_2_0359D110
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359E900 24_2_0359E900
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03538130 24_2_03538130
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357D930 24_2_0357D930
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03537920 24_2_03537920
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351A9D0 24_2_0351A9D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358E9D0 24_2_0358E9D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035251C0 24_2_035251C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356F1C0 24_2_0356F1C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035AD1CC 24_2_035AD1CC
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034D61D0 24_2_034D61D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035569E0 24_2_035569E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035889E0 24_2_035889E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BC9F0 24_2_034BC9F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351F190 24_2_0351F190
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357A990 24_2_0357A990
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351B180 24_2_0351B180
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359C980 24_2_0359C980
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035859B0 24_2_035859B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357C9A0 24_2_0357C9A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BD1B0 24_2_034BD1B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346B1BD 24_2_0346B1BD
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03570040 24_2_03570040
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034D5850 24_2_034D5850
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03579870 24_2_03579870
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357F870 24_2_0357F870
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BE060 24_2_034BE060
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346606B 24_2_0346606B
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03571860 24_2_03571860
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03590860 24_2_03590860
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03578810 24_2_03578810
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03580010 24_2_03580010
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03584810 24_2_03584810
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351B800 24_2_0351B800
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356F800 24_2_0356F800
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03569830 24_2_03569830
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357F020 24_2_0357F020
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359C020 24_2_0359C020
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359E020 24_2_0359E020
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356E8C0 24_2_0356E8C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035948C0 24_2_035948C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359B8C0 24_2_0359B8C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A30C0 24_2_035A30C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035370F0 24_2_035370F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035688F0 24_2_035688F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351F8E0 24_2_0351F8E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035928E0 24_2_035928E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356A890 24_2_0356A890
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03580890 24_2_03580890
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03595890 24_2_03595890
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03591880 24_2_03591880
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BD8A0 24_2_034BD8A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357B8A0 24_2_0357B8A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358F8A0 24_2_0358F8A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359D8A0 24_2_0359D8A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03586740 24_2_03586740
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358B740 24_2_0358B740
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03581770 24_2_03581770
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03567F60 24_2_03567F60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03574F10 24_2_03574F10
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03581F10 24_2_03581F10
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03586F10 24_2_03586F10
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0353C700 24_2_0353C700
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03583700 24_2_03583700
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034CF710 24_2_034CF710
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03469718 24_2_03469718
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359A730 24_2_0359A730
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359AF20 24_2_0359AF20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035757D0 24_2_035757D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A07D0 24_2_035A07D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03572FC0 24_2_03572FC0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BC7D0 24_2_034BC7D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351A7F0 24_2_0351A7F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03570FF0 24_2_03570FF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A0FF0 24_2_035A0FF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035727E0 24_2_035727E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035827E0 24_2_035827E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03524F90 24_2_03524F90
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03577790 24_2_03577790
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03584F90 24_2_03584F90
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03593F90 24_2_03593F90
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03598790 24_2_03598790
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035877B0 24_2_035877B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03587FB0 24_2_03587FB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03599FB0 24_2_03599FB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BBFA0 24_2_034BBFA0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351AFA0 24_2_0351AFA0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03461E60 24_2_03461E60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03590670 24_2_03590670
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03599670 24_2_03599670
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BCE60 24_2_034BCE60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03579E60 24_2_03579E60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356F610 24_2_0356F610
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03536E00 24_2_03536E00
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356DED0 24_2_0356DED0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03573ED0 24_2_03573ED0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351F6C0 24_2_0351F6C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035856C0 24_2_035856C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035936C0 24_2_035936C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035946C0 24_2_035946C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035976C0 24_2_035976C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346AEDB 24_2_0346AEDB
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351BEF0 24_2_0351BEF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03568EF0 24_2_03568EF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356B6F0 24_2_0356B6F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035766F0 24_2_035766F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358C6F0 24_2_0358C6F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034C56E0 24_2_034C56E0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03465EF6 24_2_03465EF6
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03589690 24_2_03589690
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358D680 24_2_0358D680
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A1E80 24_2_035A1E80
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03557EB0 24_2_03557EB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356BEB0 24_2_0356BEB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358F6B0 24_2_0358F6B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03469EAB 24_2_03469EAB
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03569EA0 24_2_03569EA0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034D5EB0 24_2_034D5EB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357C550 24_2_0357C550
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358B550 24_2_0358B550
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03582D70 24_2_03582D70
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359F570 24_2_0359F570
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03527560 24_2_03527560
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03559510 24_2_03559510
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03583D10 24_2_03583D10
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03585D00 24_2_03585D00
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359BD00 24_2_0359BD00
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BE510 24_2_034BE510
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03588530 24_2_03588530
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03466D35 24_2_03466D35
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359ED20 24_2_0359ED20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356E5D0 24_2_0356E5D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035705D0 24_2_035705D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03588DC0 24_2_03588DC0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03537DF0 24_2_03537DF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356C5F0 24_2_0356C5F0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356A590 24_2_0356A590
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03574590 24_2_03574590
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03577590 24_2_03577590
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03573580 24_2_03573580
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358E580 24_2_0358E580
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357A5B0 24_2_0357A5B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358A5B0 24_2_0358A5B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035955B0 24_2_035955B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BD5A0 24_2_034BD5A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357B5A0 24_2_0357B5A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035925A0 24_2_035925A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03594C40 24_2_03594C40
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03598440 24_2_03598440
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0356DC70 24_2_0356DC70
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357FC70 24_2_0357FC70
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03591470 24_2_03591470
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A0C70 24_2_035A0C70
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034C1460 24_2_034C1460
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03572460 24_2_03572460
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03596460 24_2_03596460
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A2C60 24_2_035A2C60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03576410 24_2_03576410
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0358C410 24_2_0358C410
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034CF410 24_2_034CF410
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03578430 24_2_03578430
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03584C30 24_2_03584C30
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BCC20 24_2_034BCC20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03538C20 24_2_03538C20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346BC35 24_2_0346BC35
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03575420 24_2_03575420
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357BC20 24_2_0357BC20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03592C20 24_2_03592C20
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346643D 24_2_0346643D
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034634C0 24_2_034634C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A1CC0 24_2_035A1CC0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03589CF0 24_2_03589CF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359DCF0 24_2_0359DCF0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357EC90 24_2_0357EC90
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03587C80 24_2_03587C80
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034BC490 24_2_034BC490
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351A4B0 24_2_0351A4B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0351ACB0 24_2_0351ACB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03465CA5 24_2_03465CA5
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357D4B0 24_2_0357D4B0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0357CCB0 24_2_0357CCB0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035384A0 24_2_035384A0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0359CCA0 24_2_0359CCA0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: String function: 00FC1290 appears 31 times
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: String function: 00FC09F0 appears 106 times
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: String function: 00FBD760 appears 144 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: String function: 00CA09F0 appears 106 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: String function: 00CA1290 appears 31 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: String function: 00C9D760 appears 144 times
PE file contains strange resources
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DllHelper.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DllHelper.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DllHelper.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: invalid certificate
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DllHelper.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Virustotal: Detection: 58%
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Jump to behavior
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\user\AppVerif\DllHelper.exe
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Users\user\AppVerif\DllHelper.exe "C:\Users\user\AppVerif\DllHelper.exe"
Source: unknown Process created: C:\Users\user\AppVerif\DllHelper.exe C:\Users\user\AppVerif\DllHelper.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Users\user\AppVerif\DllHelper.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppVerif\DllHelper.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\user\AppVerif\DllHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Users\user\AppVerif\DllHelper.exe "C:\Users\user\AppVerif\DllHelper.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File created: C:\Users\user\AppVerif Jump to behavior
Source: classification engine Classification label: mal62.troj.evad.winEXE@18/4@0/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 31.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 31.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 31.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 31.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 25.3.DllHelper.exe.f110000.1.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 25.3.DllHelper.exe.f110000.1.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 31.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 31.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 24.3.DllHelper.exe.db30000.1.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 24.3.DllHelper.exe.db30000.1.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 24.3.DllHelper.exe.db30000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 24.3.DllHelper.exe.db30000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.2.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.0.InstallUtil.exe.400000.1.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.0.InstallUtil.exe.400000.0.unpack, Client/Helper/Methods.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: 24.3.DllHelper.exe.db30000.0.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 24.3.DllHelper.exe.db30000.1.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 25.3.DllHelper.exe.f110000.1.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 30.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 30.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 30.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 31.2.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 31.0.InstallUtil.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: 31.0.InstallUtil.exe.400000.1.unpack, Client/Settings.cs Base64 encoded string: 'yDdZmNkfICnnfuC9H5QR4RFB86NDbT3XnCucL8GcfsS2JAVnW7qRUSvi6lvtrenEU0O9gUO38K/9sI28+3KsTg==', 'SMZ0M+leTw3vnEdgjSzX00rAqF3176LLiL2UpHcQLfMK4DHffglpdrU8Ng2iao1zwVo1R3UJjfdamZY3+7/4N3O7jN4Pw42nqm2LcxtSZI1pEzEob7PqwkDc6LtqJ7cV1pceh38CYAC21LdC1VUpCpJUIkvmBozpm7NBqky2R/wC8IAs9HYcsl2zIkAryOoOH7aZymwTdO2C4rfDBzKyhMIYZx9sXYzBlDYRr2OwJMKWPXczbGSu+PGcf5ne+v+SAlSCZ60J+2XYpR0epJe9+lnHevdW13eBWtnz3ZzWQT/5LyGtSmpYhr45zkr9c0Xd7abca9AoiBaYZ4NDwLpLxnNmQCKFJRX9OdsaaxD1b+0t1b0Kbz5La9iJsxVxUEh5TStUszDyMRSqNs07VicvBLUaeXUFWJ1MeKGarIu8u5MskjoEmClboqum0bPJti+2l5rvOVT1n5SvaOBRaprtNIcSmC4tZCDlCRZqBqYMM1Jr8iw4lnhfFla74rdEZcwM0JdiVo0rbyKI2CgAOU12U8llQoHFgXyYbPy3wfGF9tVTg7SE99uvmgwGlm0S3SOX71MPNnuyLypDn49QPpuEMG3/Hssxd78O68MX3ljgz8ecZv0dgNccmUZDzv5VyGeDoxKPVFAQev7BovEBe34HXMZ41qYMnPkRQYj1qSQIUjMdNvvTzTTndfl3O5rLUI9HxOTN4MjkHRvnuTQ2VfiqNR6mGOoMnjnZzGkH75KAE8Dy13KkOlIis8ZaUXaH7njdWfXxb99HrJomL0qhsx7qWZ1mX2r8jSnfH91lb8Cd7Ao5hE7TSOJ2J7cWAc6lv9JMbN3CYplZ6vYWs1k6pWOMxfPzOmR0OWTvGZSKjbgj4DVVP6+SD2f31FVSoFdRK3VfXXTaSAepGRKesplzRXlcHdfWqQPFf8uCqIKRMgrQD+aOj54rL9VngBGXTEf6eNzto8me+yOljQ7ejwW1TaVmtpd1o0opcE1Sg4g0p969yPVJQ8lVM9SxZrYymRwEqbwndf+bbzXHG9AcgC89Z9o8dl7VGb8LfndjGYgFb1b2G5ZkOk26SZ/TOveCcVIMoWpG', 'nS4Yc+OY1/qvAVhP34tJjSnKQWrVfQ0aImA+b5rs0NWBVvjPwnKAPJGG6ccEOr2hOni1HBRAxK/0Iwi/kuqlPNmK/VYZgIrk5NZ1T7/vonGL1qRwTTBgVOdmCCkLBdjLHSGa4rQ0+Nqh/XwSODQM5H2p4CQTZJhjbxPK8YBr5mG6Y0xDTEm7+ZaL6Fqp6saupv4mevxlwskEMtmQVLia8oQpIuMcRRly6uPox0GUHBPciJjc7LHai2zqGn5yRuUqL/2RmfXGwwK/AGJHS3/R5ZRZS87+J7Z6pgcWU5yLmvw=', '/jPX1RJwNWpAirraz2FbJo6iCtGJJi2Q5WObOWH4yj4oci4Mj6BIOcdeZgWtW2Kh2qXzbmhqPox2JlnZO1/+JQ==', 'zP7fPronnwucEY5Dp6OPgBbQxf8tJiPByXJ04rcWlJToRK/Y32OI2MU20Hq4rMVqVG/uL5FysKz/0xBrbRqJJA==', 'lW8eVMoJ3jWRjD7BEQaSo4kWGM+OXHFGi8PLIzxRfydciJv3rMY2KAP0Q3BrpiBG19NFZIr/UYitx0lSrGmc8w=='
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\ads3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:740:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:304:WilStaging_02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00C98A10 SetThreadPriority,FindVolumeClose,GetCommConfig,LoadLibraryW,GetThreadPriority,GetCommandLineW,SetLastError,GenerateConsoleCtrlEvent,MoveFileWithProgressA,GetProcessHeaps,GetLastError,GetModuleHandleW,GetLastError,InitializeSListHead,DebugSetProcessKillOnExit,EnumSystemGeoID,GetProcessHeap,HeapFree,GetProcAddress,VirtualProtect,LoadResource,GetACP,FreeResource,SetConsoleCtrlHandler,SetConsoleCursorPosition,GetCalendarInfoW,VirtualProtect, 0_2_00C98A10
Source: C:\Users\user\AppVerif\DllHelper.exe Automated click: OK
Source: C:\Users\user\AppVerif\DllHelper.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static file information: File size 1870760 > 1048576
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19f800
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\pik vevaye\Wapawini\gal\Yim.pdb source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, DllHelper.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 24.3.DllHelper.exe.db30000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 24.3.DllHelper.exe.db30000.1.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 25.3.DllHelper.exe.f110000.1.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 30.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 30.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 30.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 31.2.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 31.0.InstallUtil.exe.400000.0.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 31.0.InstallUtil.exe.400000.1.unpack, Client/Connection/ClientSocket.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB70E7 push 654800CBh; retf 0_2_00CB70EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB8235 push edi; retf 0_2_00CB8236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D8F push esi; retf 0_2_00CB5D92
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D8C push ebx; retf 0_2_00CB5D8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D80 push esp; retf 0_2_00CB5D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D84 push edi; retf 0_2_00CB5D86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D94 push edi; retf 0_2_00CB5D96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D6C push ebp; retf 0_2_00CB5D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D7B push esi; retf 0_2_00CB5D7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D79 push edx; retf 0_2_00CB5D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB5D0C push eax; retf 0_2_00CB5D1E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00C9962F pushfd ; ret 0_2_00C99630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E837F push edi; iretd 0_2_032E8381
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E2215 push cs; iretd 0_2_032E2218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E82A5 push ebx; iretd 0_2_032E82AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E394B push ecx; iretd 0_2_032E394D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E2D74 push E9B77131h; retf 0_2_032E2D95
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FD8235 push edi; retf 24_2_00FD8236
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FB962F pushfd ; ret 24_2_00FB9630
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346B37F push edi; iretd 24_2_0346B381
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03465215 push cs; iretd 24_2_03465218
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346B2A5 push ebx; iretd 24_2_0346B2AF
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_0346694B push ecx; iretd 24_2_0346694D
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_03465D74 push E9B77131h; retf 24_2_03465D95
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe Static PE information: section name: .tenio
Source: DllHelper.exe.0.dr Static PE information: section name: .tenio
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB01F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00CB01F0
Source: initial sample Static PE information: section name: .text entropy: 7.816031131002002
Source: initial sample Static PE information: section name: .text entropy: 7.816031131002002
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe File created: C:\Users\user\AppVerif\DllHelper.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2304950340.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292908991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.5733215574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292384259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255355229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2324411113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255974959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2306850553.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2293118725.000000000F112000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2270243732.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 9100, type: MEMORYSTR
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\user\AppVerif\DllHelper.exe

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2304950340.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292908991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.5733215574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292384259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255355229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2324411113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255974959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2306850553.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2293118725.000000000F112000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2270243732.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 9100, type: MEMORYSTR
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe TID: 8944 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe TID: 8944 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe TID: 8160 Thread sleep time: -33000s >= -30000s Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe TID: 8716 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8292 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9016 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9008 Thread sleep count: 9925 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 9925 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe API coverage: 8.6 %
Source: C:\Users\user\AppVerif\DllHelper.exe API coverage: 8.6 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03425906 FindFirstFileExW, 0_2_03425906
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034259BA FindFirstFileExW,FindNextFileW,FindClose, 0_2_034259BA
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A8906 FindFirstFileExW, 24_2_035A8906
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A89BA FindFirstFileExW,FindNextFileW,FindClose, 24_2_035A89BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppVerif\DllHelper.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppVerif\DllHelper.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: InstallUtil.exe, 0000001E.00000002.5768662264.00000000054DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2664763859.00000000054C6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.3619122670.00000000054DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2296530654.00000000054C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2664899186.00000000054DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2296724230.00000000054DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2902490903.00000000054DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2292058067.00000000054DC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5768500815.00000000054C8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2902379512.00000000054C7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 0000001E.00000002.5741664863.0000000001018000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: SecuriteInfo.com.Variant.Jaik.84784.3654.exe, 00000000.00000002.1716284318.0000000001167000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Jaik.84784.3654.exe, 00000000.00000003.1711068931.0000000001167000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: DllHelper.exe, 00000018.00000002.2270072811.0000000001524000.00000004.00000020.00020000.00000000.sdmp, DllHelper.exe, 00000019.00000002.2306611461.0000000000A89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA0A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CA0A60
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA8F12 InterlockedIncrement,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,GetFileType,WriteConsoleW,GetLastError,WriteFile,WriteFile,OutputDebugStringW, 0_2_00CA8F12
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CB01F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00CB01F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00C98A10 SetThreadPriority,FindVolumeClose,GetCommConfig,LoadLibraryW,GetThreadPriority,GetCommandLineW,SetLastError,GenerateConsoleCtrlEvent,MoveFileWithProgressA,GetProcessHeaps,GetLastError,GetModuleHandleW,GetLastError,InitializeSListHead,DebugSetProcessKillOnExit,EnumSystemGeoID,GetProcessHeap,HeapFree,GetProcAddress,VirtualProtect,LoadResource,GetACP,FreeResource,SetConsoleCtrlHandler,SetConsoleCursorPosition,GetCalendarInfoW,VirtualProtect, 0_2_00C98A10
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03424B42 mov eax, dword ptr fs:[00000030h] 0_2_03424B42
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0344E390 mov eax, dword ptr fs:[00000030h] 0_2_0344E390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_034218BF mov eax, dword ptr fs:[00000030h] 0_2_034218BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E04C0 mov eax, dword ptr fs:[00000030h] 0_2_032E04C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_032E04C0 mov eax, dword ptr fs:[00000030h] 0_2_032E04C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A7B42 mov eax, dword ptr fs:[00000030h] 24_2_035A7B42
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035D1390 mov eax, dword ptr fs:[00000030h] 24_2_035D1390
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A48BF mov eax, dword ptr fs:[00000030h] 24_2_035A48BF
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034634C0 mov eax, dword ptr fs:[00000030h] 24_2_034634C0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_034634C0 mov eax, dword ptr fs:[00000030h] 24_2_034634C0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00C9D060 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C9D060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA0A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CA0A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA05D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CA05D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA5760 SetUnhandledExceptionFilter, 0_2_00CA5760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03424229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_03424229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_0342115D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0342115D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03420C5C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_03420C5C
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FBD060 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00FBD060
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FC0A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00FC0A60
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FC05D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_00FC05D0
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_00FC5760 SetUnhandledExceptionFilter, 24_2_00FC5760
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A7229 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_035A7229
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A415D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_035A415D
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: 24_2_035A3C5C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_035A3C5C

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\AppVerif\DllHelper.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CBC008 Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: E58008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppVerif\DllHelper.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppVerif\DllHelper.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\user\AppVerif\DllHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Users\user\AppVerif\DllHelper.exe "C:\Users\user\AppVerif\DllHelper.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppVerif\DllHelper.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: InstallUtil.exe, 0000001E.00000002.5756022733.0000000003129000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5750093387.0000000003007000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000003.2546144000.0000000005539000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: InstallUtil.exe, 0000001E.00000002.5756022733.0000000003129000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager`,
Source: InstallUtil.exe, 0000001E.00000002.5750093387.0000000003007000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5749924854.0000000003001000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5756758520.000000000314F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe
Source: InstallUtil.exe, 0000001E.00000002.5756022733.0000000003129000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5750093387.0000000003007000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001E.00000002.5749924854.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: GetLocaleInfoA, 0_2_00CB4180
Source: C:\Users\user\AppVerif\DllHelper.exe Code function: GetLocaleInfoA, 24_2_00FD4180
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_03420E75 cpuid 0_2_03420E75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.84784.3654.exe Code function: 0_2_00CA5780 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00CA5780

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.DllHelper.exe.ac1168.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.ac1168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.1551530.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.DllHelper.exe.1551530.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.3.DllHelper.exe.f110000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.DllHelper.exe.db30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000003.2279210253.000000000F110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2304950340.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292908991.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.5733215574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2292384259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255355229.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2324411113.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.2255974959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2306850553.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2293118725.000000000F112000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2270243732.0000000001540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DllHelper.exe PID: 7420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 9100, type: MEMORYSTR
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
AV process strings found (often used to terminate AV products)
Source: DllHelper.exe, 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, DllHelper.exe, 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, DllHelper.exe, 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: DllHelper.exe, 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, DllHelper.exe, 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, DllHelper.exe, 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: DllHelper.exe, 00000018.00000003.2241216338.000000000DB30000.00000004.00000800.00020000.00000000.sdmp, DllHelper.exe, 00000018.00000003.2256208402.000000000DB32000.00000040.00000800.00020000.00000000.sdmp, DllHelper.exe, 00000018.00000003.2265536971.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected DcRat
Source: Yara match File source: 0000001E.00000002.5755782102.0000000003119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.5747812323.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 9100, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DcRat
Source: Yara match File source: 0000001E.00000002.5755782102.0000000003119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.5747812323.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 9100, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 662065 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 12/07/2022 Architecture: WINDOWS Score: 62 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 7 SecuriteInfo.com.Variant.Jaik.84784.3654.exe 4 2->7         started        11 DllHelper.exe 2->11         started        process3 file4 33 C:\Users\user\AppVerif\DllHelper.exe, PE32 7->33 dropped 35 C:\Users\...\DllHelper.exe:Zone.Identifier, ASCII 7->35 dropped 49 Self deletion via cmd or bat file 7->49 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 13 DllHelper.exe 7->13         started        16 cmd.exe 1 7->16         started        18 schtasks.exe 1 7->18         started        53 Writes to foreign memory regions 11->53 55 Allocates memory in foreign processes 11->55 57 Injects a PE file into a foreign processes 11->57 20 InstallUtil.exe 3 11->20         started        signatures5 process6 signatures7 59 Antivirus detection for dropped file 13->59 61 Writes to foreign memory regions 13->61 63 Allocates memory in foreign processes 13->63 65 Injects a PE file into a foreign processes 13->65 22 InstallUtil.exe 1 2 13->22         started        67 Uses ping.exe to check the status of other devices and networks 16->67 25 PING.EXE 1 16->25         started        27 conhost.exe 16->27         started        29 chcp.com 1 16->29         started        31 conhost.exe 18->31         started        process8 dnsIp9 37 137.74.157.86, 4449, 49760 OVHFR France 22->37 39 127.0.0.1 unknown unknown 25->39
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
137.74.157.86
 unknown France
16276 OVHFR true

Private

IP
127.0.0.1