File Identification
MD5: 73b85f4e5145868b2e3ecefff7391115
SHA256: 44285aa905260b91338398c20807f4fbc0d0cd191d23553fa7f060f15ff4718c
ImpHash: c70cc6abf61c556753050f5bc1ab124f
Privilege & Execution Context
Subsystem: WINDOWS_GUI (Windows GUI application)
Privilege Context: USER
Execution Level: AS_INVOKER
PE Headers
DOS Header
e_magic: 0x5a4d
e_lfanew: 0x80
File Header
Machine: 0x14c
Sections: 3
Characteristics: 0x102
Optional Header
Magic: 0x10b
EntryPoint: 0x1405e
ImageBase: 0x400000
SizeOfImage: 0x1a000
Subsystem: 2
Section Analysis
Name         Entropy    Flags                RawSize      VirtSize
.text        5.94       X, R                 74240        73828
.rsrc        5.05       R                    6144         5778
.reloc       0.10       R                    512          12
Imported DLLs & Functions
[Standard Libraries Summary]
mscoree.dll: 1 function
_CorExeMain
ADVANCED ANALYSIS
Timestamp
1779205854 (2026-05-19 15: 50:54+00:00)
Alignment Checks
SectionAlignment: 0x2000
FileAlignment: 0x200
Security Flags
DllCharacteristics: 0x8540
ASLR: ENABLED (DYNAMIC_BASE set) (from security_checks.py)
DEP/NX: ENABLED (NX_COMPAT set) (from security_checks.py)
CFG disabled: (GUARD_CF not set) (from security_checks.py)
TLS Callbacks
TLS callbacks: None
Relocation Table
Base relocations present: 1
Export Directory
No export directory:
Debug / PDB Info
No debug directory:
Resource Section
Resource entries: 4
Image Size Consistency
SizeOfImage: 0x1a000 | Sum of Sections: 0x13702
Static Indicators / C2 Detection (STRICT)
No hardcoded IPs detected
[MEDIUM] Hardcoded URLs: https://api.telegram.org/bot, http://ip-api.com/line/?fields=hosting, section=[.text] offset=0xe119, section=[.text] offset=0xe18d
[MEDIUM] Hardcoded Domains: 17 total items
system.io, system.core, system.componentmodel.design, system.linq, system.windows.forms, system.net, system.text, wscript.shell, api.telegram.org, ip-api.com, myapplication.app, section=[.text] offset=0x9b74, section=[.text] offset=0xaf99, section=[.text] offset=0xbf67, section=[.text] offset=0xc3b8, section=[.text] offset=0xc9ac, +6 more
[MEDIUM] Registry Keys: HKEY_LOCAL_MACHINE\software\classes\, HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\
[LOW] User Agents: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome, Mozilla/5.0, (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0, Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS, X) AppleWebKit/605.1.15 (KHTML, l
[HIGH] Suspicious Keywords: download, cmd.exe, connect, powershell, remote, c2, socket, telegram, exec, /c
[MEDIUM] Cloud IOCs: telegram
[HIGH] Anti-VM Indicators: vmware, No valid Base64 candidates found (strict), * Command Execution Pattern Detected:
Patterns: powershell, cmd.exe
Arguments: /c
Detection: Exact string matching for cmd.exe + command line arguments🔤 ASCII Strings Detected
ASCII Strings Detected: 949 total items
4System.Web.Services.Protocols.SoapHttpClientProtocol, CZzN0GHz4IZLBspKvhVXxQ14qxbO2Au6LTT1axMUGCmdBYJ, HttpWebResponse, Microsoft.VisualBasic.CompilerServices, My.Computer, System.CodeDom.Compiler, System.ComponentModel, System.ComponentModel.Design, System.IO.Compression, System.Net, System.Net.Sockets, System.Runtime.CompilerServices, VAL-VIP.exe, #Strings, .cctor, 02RF1VzNlYc2Taq, 0Az9wqejByZb9xk, 0eIzwD4FpkHTghM4KWPuTsgCuBpDlAQch, 0g72F62HKDfIb2v, 0v0uacXgWWlyQRy, 0z9iM62GyuosOPyf3bpy3zQJ722Kyhr6wKvOkJFqzP6JG4c, 0zymLn0OGtwcgAf, 15vLMNWfW9MP7Ve, 1665v6QDrxgwvU6lFOSAwr8w0C5frABLj, 16osZ62DHhHrb8i, 1Rw5iqZgX6HaYIAGe0wjk2gQjmBZP8WU8nKBdPGj87ac4IQ, 1Xx4kZnBoFG7qpp5oXXfy7mLAjENdBUm2k3FP8Afccmwl10, 1bHgF86tYrHkBMi3MSQcOSLjKL0kHrCKe, 1cpYY3V8en65jTmxzhx7kLkwcjnPu3Q6W, 1lRk0vHFzBwNLu3yNzWbflArJwNi8Am67, 1xy0JC4wxeeKwFB, 1zxvHFpKiyN3xfz, 28YugRjqxaLT5Z8, 2Db3nVnQcWqnYos, 2J180gBagrZonry, 2QTYohHVExaSNnC, 2ZIQuLZi0JKywjT, 2gkcRODrnOQJ8vV, 2lOa3kgYOzua0Wv, 2lZBAJZjKXQdoXX, 2r54DdWTHZXIl7Rb5cm1NeZleGh8Sq8j2choI9geyoeRf9U, 3DI0IzNQAmUvbYykndiqSjxVRoDjDNcDC, 3ai9CctkuBdQvKI, 3uGGphfe9EFctPX, 3yVsObtAfbPBtcdAWkeAbVXujx0eVGVIUVoxqRcweL5trvt, 3zBzyaWLdnYgRm5, 4HPXHqlP4vpvYfV, 4Pu87FNd4YQbacBxxwRg65Xanz9YPFyOo, 4TJIhVPRah0fsTQ, 4UuGiKHhI2w0ZLW, 4efdfGqSzukJKSPV1hTepa5jNeSPeexzW, 4eueisfPqtuYf5hUEJZ5fNnuXMWJXXzGP, 4t967jRQfhOhIrCEDwUnKc2pw1jk06ZyL, 56THyxtYNIX1q0oy0poMw3FOpYU9T0UNN, 59TSVqNWZ1cOV792QYjiJ5sFtlD30vQZH, 5IcVSRrklAHEirxoeGiebAMlzGAAQK31hTBB9VQcQb23pmj, 5IdrYeLTN1pGixb, 5NsT9vQPdO8Ohp1UbUz4g1CruA05eHJDl, 5VTcmbmLCLb6Vb1, 5kaWGNFpiUquYSv, 5zoEXFavGXw3jJb7GdpPAEkBdUGHQF0YX, 69QQhWgDh3vaeTfKoNTsLfLmu5quly4v9pjtDXSJ27xGsa3, 6El9eXV6dPwjXgq513JjPV0QUzLQVSJ5ZzA6qmDzeRk3HJr, 6I0xZxgyl4R9KQS, 6J6tlpi3OW0iNPA9sSkyZ1V3Ap5KxQxc9, 6PMMULPXf14MWf1hxtU0FHUUmUDoOiF5H, 6Quhh0Yto6iFuQh, 6XkHDrUQiinGXRr, 6ecbCI6UYsQbHmZ, 6pQwhbSYvsvm0g8, 6ppkP0lAABtjD5C, 71B7Ih4NlrcYldo, 7BgCsGWDlKhrqLL, 7FWpO8IWX8GDRNQ, 7HSOvSgREJgI24X, 7HxXZJ87V721UZz, 7W7eh8YKatu3qydugskgtxKhX34JioiLj, 7XypZgf6uMjG1nvl3NWRLrzOMaIXP6tlt, 7bF8KW1COELInrB, 7bHoEEjUeLLkd47Jt1oZFDvbrGjj782eu, 7qYxa6OYrpj3HMl, 7rzNz4SWf6yzlsu, 80OI84iijXiErB9, 8Aeo6bJmOPgVEzp, 8KkzJvcmJAtCEMwC8cv9ZRocKMqPQO05tO23ro83geyLDTb, 9djJHRqYBjJAh5DGIj5ZZobMGapjoNep7RU5iTzLaOh7BCD, 9rGmq4zlLKNVYN8acgBgjks55YO3ZZDJw, 9zcnko0fX2VOxhL, </assembly>, </security>, </trustInfo>, <Module>, <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>, <generated method>, <generated method>, <security>, <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">, A99oa7QQfW5pNeGL6Hto8RVKbP9HpPLiLu3c7iPwInZRQvA, ADL87aVx6XgANP8, ALU0smO2PRTpEQaCXm55pvveEzgsDSurA, AOF21pAAixQSCp6, AORtBfuxs6vAE4EvhDNnAD9AsaV7qilTKaeZSAe2bdhCiNN, ARcOzzDssOdcgZXuUvs30rRwu4lPiacjY, ASZB9fUyspJkAbN, Activator, AddClipboardFormatListener, AddressFamily, Aet4CbENi2VpuU7EmbjbRQcS4feUxFXRAo6XGnqJTUMJWxa, AfRvCyymd9zrl36, AgKmnySZpXBWLVHG75zuW9f81SCH1q1tt, AhNoSJ3Ui63crcQ, ApQ9IgyWdMHf4pfW51ya1xEfNxLZ4sqJ9O8HYv3f9ZkfC2I, AppDomain, AppWinStyle, Append, Application, ApplicationBase, Aq0P6Asj09jkqPL, Assembly, AssemblyCompanyAttribute, AssemblyCopyrightAttribute, AssemblyDescriptionAttribute, AssemblyFileVersionAttribute, AssemblyProductAttribute, AssemblyTitleAttribute, AssemblyTrademarkAttribute, AsyncCallback, AwFfqrXVDhcKpwanfrEWqpMbkyBel8uRw, B07osQDWi37V5otbEhCtSgIhBRarISAq0, B6rfCaHnQoU5zoS, B8DcTPKpS3tRftx, BCgZ7DMVcmbI75P, BHV1lcL0CvIgQFvIbnltPW7fboVxg4EUi, BZmnWlZW94jGorD, BbP0WTUJmlJhosd, BbzupDqvDdOUm97VgpFBxzMdV2lnKlGlL, BeginInvoke, BeginReceive, BeginSend, BitConverter, Bitmap, C3a0CN3IJGjaKGHZY5l2VBu1roKnI5wt4, C6pyFEk9azpdhms, COWZ6QmGM77LFkC, CYieeR66inCVrhM, CZBDyh6hLuPO0MGBGH0yp5IAhWBs9HW7L, CallNextHookEx, ChangeType, CheckForSyncLockOnValueType, CheckHostName, CheckRemoteDebuggerPresent, CipherMode, ClearProjectError, Collect, ComVisibleAttribute, Combine, CompareMethod, CompilationRelaxationsAttribute, CompilerGeneratedAttribute, CompressionMode, ComputeHash, ComputerInfo, Concat, ConcatenateObject, ConditionalCompareObjectEqual, Connect, Contains, Conversion, Conversions, Convert, CopyFromScreen, CopyPixelOperation, Create, CreateDecryptor, CreateDirectory, CreateEncryptor, CreateInstance, CreateObject, CreateProjectError, CreateSubKey, Create__Instance__, Create__Instance__, D2T3YBWfrReh2zq, DC6KzHTlLgmidjc, DH3R9ERW4SeoSq7, DIjTAo1qDsQ1Mj3ZUzZ2kgum8YDIEmivg, DJOXVj1WfVQaZhS3dqVMo78yddcIWYDA3v5pG3yUWFjaE7o, DUrYHTW5aTP6LwFsJoJcxdb7z7E28cgzh, DateTime, DeK5NjbQs2Hx7jO, DebuggerDisplayAttribute, DebuggerHiddenAttribute, DebuggerStepThroughAttribute, DelegateAsyncResult, DelegateAsyncState, DelegateCallback, Delete, DeleteSubKey, DeleteValue, Dfw6Q983gyQjWgtyzHeeX67K715QRodBRU87klvksv7KEe6, DirectoryInfo, Dispose, Dispose__Instance__, Dispose__Instance__, Dkb2hsSZp1Fy9yz6fCa4Sg1uOUBPkC3dz9poFLgL12JLoGI, DoTsGwpQ7tBoDYA, Double, DownloadFile, DownloadString, DrawImage, DriveInfo, Dxf0pHBQKH0vnes, E4liAZlFSmAiLBvPzYjQAeH8sbD0qUk74, E66heUKgrEmEAnGiLnEkTXqAqBrPyDgwH, ECEG35DH3LWgzK8, ERHkIpGHMoeVZfI, ES_CONTINUOUS, ES_DISPLAY_REQUIRED, ES_SYSTEM_REQUIRED, EWPLwBYM8zTj4j5, EXECUTION_STATE, EditorBrowsableAttribute, Encoding, EndInvoke, EndReceive, EndSend, EndsWith, EnterDebugMode, Environ, Environment, EolVD3RzddlbDAWW3VBBM3K1jSWxSbmvmsvcvSEKCZZEzg1, Equals, EventWaitHandle, Exception, Exists, F2S0O4O4MTnZ2kFuMElelM9oyycriH0Gx, F3AkmFrLYy4jdjd, F4A6QiWDPFdzubRBaE1DDyWyUcJcSXdsT, FACoit3Vj77e2ur, FailFast, Fi1b3PsbOk90xgz, FileAttributes, FileInfo, FileMode, FileSystemInfo, FjpK1rbCDkCKbKgty2FUcBiC605jmBzuC, Fm6MJf8skOF6nmAcXhetMyXzUP3Xaevj40x8KJUKrLd2r3V, FromBase64String, FromImage, FromSeconds, Func`2, FzRAh5zKOABkexccKGjQFnH7tm9Zr9PFK, G1fHOlCKMqpF0OGIMF8mOE8P8Qzq3TAWs, G7C7Z97F4wgzUmP, G81QRFx2Ote9RJC9leIKwZk2ApvRMX7oMuH0MWmcZgNeytU, GEbfp87eJDYVNcp, GN6YboH8cDk9eHa, GPeDW6eh5O2Llz6fVXYdWYF39M28OOcCbGpkYOzg4asssaS, GTQ2HNgv7y6YbEtXjX2YTECVkdHO11tNA, GYWn8yp4vK9hqIa, GeneratedCodeAttribute, GetBytes, GetCurrent, GetCurrentProcess, GetDirectories, GetDrives, GetEnumerator, GetExtension, GetFileName, GetFileNameWithoutExtension, GetFiles, GetFolderPath, GetForegroundWindow, GetHashCode, GetHostAddresses, GetKeyState, GetKeyboardLayout, GetKeyboardState, GetLastInputInfo, GetMethods, GetModuleHandle, GetObjectValue, GetParameters, GetPathRoot, GetProcessById, GetProcesses, GetResponse, GetString, GetTempFileName, GetTempPath, GetText, GetType, GetTypeFromHandle, GetTypes, GetValue, GetWindowText, GetWindowThreadProcessId, Gqo2UsWQY6a254muXHsDplDnxncHK3nJ1, Graphics, GraphicsUnit, GuidAttribute, HIjLYAxwICe19hyUDCmanve2QXb7cFlqB, HJCsHKiwhKFhpt0, HRtVMHfUOFT4bLLvup8M35Rqjyi2KBcVo8F3WcxiEsNoy78, HUkP8QXjRfONZRkvJAmDJWT4tGJMWTBEfTZM7knK2Dz4DKu, HashAlgorithm, HeiaHyywN8ceQBSDayi2857xCuSzHOxnJbWr6HV7KNPvNQs, HelpKeywordAttribute, HideModuleNameAttribute, Hjys1BSnmNl1sxem7UNq2RthsvELSppqsLhmA49EDN42KUd, I0TzDSuu3ZcnsavsO0HnVMSqI0x78A30A, I1MV6AgW9Iv4d0JeRCbpIxRUNODzD9ap9DB63zNfcO7WIcU, I1NvfXpx6YnxffKOOPPoF43pWLiUhZfDE, I5StDw63pMb4gQ7, I6Z9iin1yTAVJjFfEMXyPglCMITqtDKYA, I7w2x9fCgNQNCva1IaCJthNNSlgHrCM8M, IAsyncResult, ICryptoTransform, IDisposable, IEnumerable, IEnumerable`1, IEnumerator, IJ4dyaDLIX2nFPx, IPAddress, IbYIMl2QFYedJ7W6uS8XpK9lpYiyRALwbupNCY6EL7r30uA, IhIhE5DxI3MdWFMPkXdu2mCNb2xMS5TxjkI800ccLCmIY3L, Ikgl50qH0dtxk7h, ImageFormat, Information, IntPtr, Interaction, IsInRole, IsNullOrEmpty, IsNullOrWhiteSpace, IwWlOmXi1J2UJli, J1CgByt9TO9wLxk, JEAAiuNu4aRw764Te7P6ibAMXpncWmxgOQRsetqpRXnqwGt, JECRs2gQxbjPBVO, JIRS5mrs2n26Lw7JnZdcC8gTMgjGowXSW, JJDGjZyeIuOXqW77DgB6HFtwzyt1BE7wQ, JOojErf8qetkkDen3IjUrJrEsQzEzCYva, JPq573EBMJIKmC6, JQ0DqFKKJN7jJ6ac9E8xeUk5DJrsir2Uy, JewJch2GBpvm1Wl, Jle1tAOeSDwm8PkmIaUcQrcsRBG4Kf2pb, K5NDN7oMgWdPlPH, K9CUBXf6Ma5JbPIsaJnfn83DcP6y1dxtv, KBQLJTwKrJjiUpX3r0f2PTQPg9GQO9sSzijJfRGanQEQr8b, KDpu6eQKpv0Q76P, KTl1TX4YXLOe4jUi5YqdyiFt4gEgyjSnR7B3jAlmYsyqQaT, KVcrWaSX4v8qii0, KcCqNVXBTEvlluCXNqPoVXBEXWU50N1QE, Kiz62OuNZ5e4r2TFkA6kLI54oyY7wCoDv1jDdXHX8WLS7BU, KtC4g6LibmYu8Qm, L6yHGg1PkQmNvbq, LASTINPUTINFO, LFoEpp06EOC43hKEP6JCkluju0TK5iuSg, LJ1Lq3Qn2TVbsRuXnyGjMVYSQi9hNw7oI, LPh3aaJaymmXIm2acWImpnNuWKQADfg1X, LVeWXFtM6b9TWMAb8PT3kbfj3sThEXkhq, LVvArcsly6ydFGxh6vzxpMGrhXRwyRAOl, LateCall, LateGet, LateIndexGet, LateSet, LateSetComplex, LeccwkHY0JFqsMv, List`1, Lje3eyOzodVzHTe, LkUMfNqwJG3qkV4CbYf7G9BQPvcanKfJt, LowLevelKeyboardProc, LppEtnhPTHC3c97, M1WvxYvEJoxy96QxNiQmFq1hZAjQuF3tr, M7vgtU1PzORFJ01, MD5CryptoServiceProvider, MI6B9c9QI8DWaPuOygXB7ihOKeAniS5sYTPG3ON923tTsQF, MXpAj4eJL8Ccsp3, ManagementBaseObject, ManagementObject, ManagementObjectCollection, ManagementObjectEnumerator, ManagementObjectSearcher, ManualResetEvent, MapVirtualKey, Marshal, MemberInfo, MemoryStream, MethodBase, MethodInfo, Mh71xTaAkHn9iEF, Microsoft.VisualBasic, Microsoft.VisualBasic.ApplicationServices, Microsoft.VisualBasic.Devices, Microsoft.VisualBasic.MyServices, Microsoft.Win32, Monitor, MoveNext, MulticastDelegate, My.Application, My.User, My.WebServices, MyGroupCollectionAttribute, MyTemplate, MyWebServices, N19mDTBl51H00Uxzab63SKEss7SKnyxnW, N20O5KhjWMEQOpi, N6rflgONouR4qFe, NCur3Z6iuAh4khPw6wDOcnhRbZYODauKg, NDCQClRlry3msL3mVNnJhtwFoIDCX83Ol, NFYh7fPrRYxzFFzoq0wO65uMS8JwWTcsP, NTdll.dll, NVvtOy0Hy7J3YfS, NativeMethods, NewLateBinding, Ng3giQfDUwuO5AE, NgkcGWAqD97VLqAbpUUUQvGLwgahLUKdQ, NljnzJPWPYP4dYU, Nmy7T6E5fkU8WcJadEGomGRouV4XLyp4U, NotObject, NotificationForm, OHgYV6D6D4579a3, OKIL5wrBd5ORDAY, OO5Z2tKEBQL8659nc2Joyv2S94Pc8uXUG, ORyLtYRXzCeFKcU, OSSfBsUqI4rgqcCKlxhimhwOy92APxgVw, ObjectFlowControl, ObjectQuery, Ocfogt0BGjVSnZP6rrcaMA7PcMKi540DI, OfvR8Wt6oBqeJNh, OguBvF85Jnitrmk, OkA6ZBegEOsHA7VP2Nu9N795U36Jmh4KV, OpenSubKey, Operators, OrObject, Os83PeOXHvFwEDa, P1wFXrsepm240s4CsVdY1DMmNEelcWidpOot4dplpHgCjL1, P2eUh9osW9s15eV, P6kt0XlLmnarruT, P7gjurdFLUGOqHb4cxcZNCAFTRn01zlDiFNSHD7OPXiTBvn, PC6prgDidRCluNS, PD6ei09q5BA3UP2d96yNMIDgcnB8gKjs82gSoEB9n4eVRbu, PJ8JCjMi4Hs1ZzPOPun9MpBNPV5ATDXtb, PMsLNdW8ztinxKSF91EM7cCNcxeCJrYiU, PQxQRHSazq7VpM1UT5X590YYflNZZGlvceunKnYdklF72Er, ParameterInfo, ParameterizedThreadStart, PcS4W6n0ZSchJqhcaZRDtXnKq5u0sKuxi, PcWtPFtlMfTLT0o, PixelFormat, PjcHE4JdkcsoOc1, ProcessModule, ProcessStartInfo, ProcessWindowStyle, ProjectData, PrvY6APcOsbpRMvvqiPyLCyNrusmzvx3X, QQ7ij2GrcbFNWVqHGy18LA06JVR7bJnmP, QXECXXPKt9pOFbXf7ZXdy1KB91fZRMQEpJSXv3RMbEuxtUz, QbsteIJ4UyUbuwoCrlEwzWgRSSt1c0GEA, Qieo4T0nXYQMbJBhJ0IJORXhYKX4KKnYRRZZfRtk4GGnS2t, QrLSFEiwohFQiTBlVFAQzh79hLz9MEQdf, QvwICeDB7reKZyg, R1jlQbmEVaX37ZL, R2DP1bUIGY7V2vmzEPThHk0HEKZaYpsoiifmfeNqmGlAWVB, R2f090i5fY9QWqXje3HB0JWRYSNRqPaYN, R4QsHcHFDEP8K0U, RAhIR3ji9ffAi2G, RMfece0PuWgzd0n, RX3O1zDRBj7jhPrPAQuxVh1F4mWKRoFS4, Random, Rbndn3JpYAPxYnBs2AchoZTIicxEpNp7CSxwOevcZYrrK7d, ReadAllBytes, ReadAllText, ReadInt32, Rectangle, RegexResult, Remove, Replace, RhZPn2d9z28jc6gH2jPoMzQ6JmUVdmfHB, RijndaelManaged, RtlSetProcessIsCritical, RuntimeCompatibilityAttribute, RuntimeHelpers, RuntimeTypeHandle, RxIXq0Zdmi7jQ1spVFbYsmoFtyq9016tW, Ry17ky1Bd8yxOysKJRrP3WBUWcBfDHxHh, SEwC4K8TjmNskeq, SHCore.dll, SRFqz9yRXoL6qLgCtWVZpGYJtlCN05bHo, STAThreadAttribute, Sa2WAlW5N6OAYjq, SecurityProtocolType, SelectMode, ServerComputer, ServicePointManager, SessionEndingEventArgs, SessionEndingEventHandler, SetApartmentState, SetAttributes, SetParent, SetProcessDpiAwareness, SetProjectError, SetText, SetThreadExecutionState, SetValue, SetWindowsHookEx, SizeOf, Socket, SocketFlags, SocketShutdown, SocketType, SpecialFolder, StandardModuleAttribute, StartsWith, Stopwatch, StreamWriter, StringBuilder, Strings, Substring, SubtractObject, Sy6paDUGsKAb4sz, SymmetricAlgorithm, System.Collections, System.Collections.Generic, System.Core, System.Diagnostics, System.Drawing, System.Drawing.Imaging, System.IO, System.Linq, System.Management, System.Reflection, System.Runtime.InteropServices, System.Security.Cryptography, System.Security.Principal, System.Text, System.Text.RegularExpressions, System.Threading, System.Windows.Forms, SystemEvents, TGXh7CadUnpqOQ2, TIlsKcCRmc1I2WuMQSFpA1uOi9LWUEZcwCcwPsrOXpuqaVB, TMvBiehtgAhddEj4XNtqbCiouHfLt4JxRReOyIZjaJ3dkeG, TNz5h6Ny9baWKmv, TargetMethod, TargetObject, TextWriter, Thread, ThreadSafeObjectProvider`1, ThreadStaticAttribute, TimeSpan, TimerCallback, TlciF3p1Ec4vuhq, ToArray, ToBase64String, ToBoolean, ToInt32, ToInteger, ToLong, ToLower, ToString, ToUInteger, ToUpper, ToUpperInvariant, Tovz0U5ZZnE0rvS, TransformFinalBlock, TzzZlrhFlG81teh, U81KlhStaqTUXQsOn52q1tp7fJUrlYOcn, UBound, UInt32, UInt64, UJV1d8r1xHS4bmtygb1WyKdlgPbujt7BaWMoL5ds8mvb5kV, UQI4Vx551e7JnSx, USNmxM3ynTHJYZ3hOBDZuf2UW1wNOvrns, UZUeV4RJebL0YHk, Uh6fPQxTQ48b3K2, UnhookWindowsHookEx, UriHostNameType, UssnMW6q0bM9QDLw9yWjUOeKeDTaQquQk, VAL-VIP, VPqwrCPFxa8TGAn, VPrXVOpbia0hRmwBH9EoudAvALRUee7GsjCEiUIn9SZTR1A, VSC0YAM8CpJmWxc7PmgQ8gPcxWB68LFm3, Vdampx7hyXu7eOdZbsjQ9Al1zpaWQTrd2TTHhSx8RD90CsL, VndN51ZWBODSgbL, Vq6tvxQpV2F5z39, W0Mhy5qlDa0H1RCAFAI4wr5WetqXxLSZB, W1KVZnlwqNmHRyE, WBI5FyEj1ZRXctS, WGEIPh6XTnwprKJ, WH74sz5VvNxBqyCY2kl7TBs9n9I9fBasF, WKunFSBYdb8mC1Oq0OBNAIhnwb3YMeNCIlcbrvjO8KuVW3j, WNH1b1xeux1rIAIS1rqkg28zClGZj71VF, WZWxx9Ldv9mMGG2, WaitForExit, WaitOne, WebClient, WhWyl90WpReahsTcA0a8rOUEoyQmNpf2D4MM0ObDKyZalFl, WhiiM6yIypmVOhjrCWO3O1TpdjnVLrWmZTgeHknqsGE8Ree, WindowsBuiltInRole, WindowsIdentity, WindowsPrincipal, WndProc, Wq93qvpKBbyKGHI, WrapNonExceptionThrows, WriteAllBytes, WriteAllText, WriteByte, WriteLine, XGGQYgutB3NQSkdTf6XnZbJg6d173RmhX46aGoLOKJzbiLe, Xk0VKcObvh4XYTg6jhl1SUuMWK67cQqJd, XmEK25MSM2ZjQvIxXblETVEAN9Zz9mKLX8RpMDEA2KHimY4, XnFfsZe0NiZ3PCr9OtLmHhObqrpN05DSLp6M2yqJ69zTTTK, XphVOt5IqMRxWlx, Xr57BGpb5CctrAE6U9EHR4YAg82LQrTTw, Xr8jXRJquBvlrz4GIDfLWquXG17qlZTHo0jlzHfeHFHGRIG, XtlCGBm8H3IdBHktxrY3ITpTGaofNsbJJ, XuSzCkNftllR23qdTNmnNfWMyOFUbIqk4, XumCfQ1shJ51wPjNtbXG72y55vswvByIpvNxP3TT2qzTeaV, XwR4xw2NNenQ1w9, Y1bw5lVTKsa8q3C, Y7FeJQv9ODUICaGvFBxNv1DXu3A5zEHsN, Y7zLPcBELOna9Ti6Ap8Mq9LSYeAAjXR34, YBhAWMPD1gZoHft, YCWw41TFZcDwODQ, YKZFIsLAPMe4EAm, YOoNqNfOXrRUSceUaYXdwdm3aOTX61ZzrVbamskDvb3JKj7, YPf0qrOE57lAWSc, YgAqEqSpxNjOh1hCqzxawvTpxmrfPcN8i, YmgyyVfMraQWk1CTFbYDzGn5RgnbHHyoqhuBCBQltTIALZd, YoswL7GlUoPjdZg, YucUNfpKEcCvVEV, YwNpSW3tIGNa1KwM1MDUc4MfZUXlwdBgGta22MkBqRmMbtl, Z0hIpcUiDdGnS0T, Z6egw3nQFnxFPG9, ZFpAr3ELibA1NMP, ZHrNQf6fzqKSe3PhDaoPiqjMgE3KyFexYfSf0NOEp3e5MoN, ZLwKivhG4lGpNg9XQEKCs4uFi9Bttkap9, ZYZsEBxTJ3LKdGE, ZfAZQtnL6QiiRXA, _Closure$__1, _Closure$__2, _Closure$__3, _CorExeMain, _Lambda$__10, _Lambda$__11, _Lambda$__9, a2cILWFV2MKngku, aDTcCdcx8i0Uh4cRm5GFVzSHXHXdYymtS1H7uRSQ2v9xpPl, aNGYiZj4b08eVgz, aQTe0G50znTeoXEu0vSKfwr8JwdTc0U5pVGGYKhXpA1YyS7, abbqR3wYpDWgtTy, add_SessionEnding, agYTkVTIWIJNTj4WhPZcmIZBB42aXoM9pZlCblGNGI6gfCb, ajBk6JBDwI89YOmHsEu0G5bk1U7rrAPyXAqWuFpvg7pj2d8, avBmishLj0UoKqfqcyopwZ9V9ISJIDaAj, avGpuOliwDHnlDo, avicap32.dll, b42u4RP5LTziRRpaeaCd46B6zLRAJK7Y7yAfNmZxHRoF6oY, bIWWPQXQKqazgkBszRK1dTqAGEqO3v5Vl, bKUC7vHJlcomBIPNqsviABWJiMCynRu2s, bKXe85ATiGQyBYzE86aZPF8wGlwL2tPUC, bNYg1mtPuIr5YOmokjrnGjmjI8S86yFK5, bS4OdS3qf3pydDG, bUilW1iQy7TRwGcSSF4Lhyr4Py76VkYU7rqRIdcOXfM62rK, bXoKofI3YmiWFoliNv0sRqC1khELR9lLGBSowBHpDbveuXR, bnlIifwAqcF76wxYGeJYSpnas4ILhfXDmu7RdKDZCMyJH0j, boUwzKMW34jUHbM, buIR39J9MK5XrYR, c9073CDY0jiv6UR8xY9uzx8vmkMobvGKW, cLMMNz1mY5kOSV8, cNnzIOgjxDP4l8niM2KBQ2wW9UYqBH4kgGrRS0uEzBvSlNB, capCreateCaptureWindowA, capGetDriverDescriptionA, cbSize, cgCe5ktYVXXuYM5, cmLjO4QoiVda8sp, creDIrCYEpGsZmc, currentClipboard, dNMCBEuaBmxca6hlgU3NsQWgwzxeOE2WU, dTkdOBydd1U2sOgjs1oCquFpWdvh3TYx8GZjfU5gqtFSL3G, da1H8P3Im7iUZqoX3DbvQYwaDM83kJ4zLrme3u6IcxriICZ, dmy0VYkRGk4ls6o, dwTime, e1vhMJ9XIJEnuA7, eUsEnOQpgNnZRQTmy5TctEUjZ3zHzAEU4, eae9yRZwTqOjwvH3z8dT7LW6gCponRLcC, ebJP4rNP6w2WrZw, eePpgJoHJRoqEGQ4ikBjPcpTXXznEpZNN, ek0wdVoeY2yd3LIdykAp7YIMs40b7UWM1, ey0DoVK4twEoe1L7GdDXpZwQzCopPDk23, fF39oehmz9EH6du, fQa9acUcgU2c6AlQwiCTbwFR5DQSzN9KCGeBQgQYJo0iFiJ, fU2EwddC0idTSL2, fjl7uKIkcTqQMmA0Vc9OVxAkkpc2tW6yQgtlZWeEzNr1mCx, fjrqqX1oJ6ZMMUU, fmQO2BE1pwUT4gqD8VzkciFMeJQYORAW5, fsgM6APBbinJbFCLhFnmCzsbjyWznDGv7, fwR2djDAZB6YziQ, fwol9gFYMv1Gv8F, g2SkeUes7vR4RiHWTqfV9PtS7C4bvUglCfkf8RFQeX4UXrv, gMUCiLdrD3KRSm8, gVpAcZ66u6OSb0K6fcjoH3xSWMGamCbCF, gcdRBSrPp6lBXUuga33pHfMx2briZ4UdR, gdaS9VzKimCXVWLmiF6MWvAQaGfLPNMof, get_Bounds, get_Chars, get_CreateParams, get_Current, get_CurrentDomain, get_CurrentUser, get_Directory, get_DriveType, get_Elapsed, get_EntryPoint, get_ExecutablePath, get_FileName, get_FullName, get_GetInstance, get_Handle, get_Height, get_Info, get_Is64BitOperatingSystem, get_IsReady, get_Item, get_Jpeg, get_LastWriteTime, get_Length, get_MachineName, get_MainModule, get_MainWindowTitle, get_Message, get_Msg, get_Name, get_NewLine, get_OSFullName, get_OSVersion, get_PrimaryScreen, get_ProcessName, get_ProcessorCount, get_ServicePack, get_StartupPath, get_Success, get_SystemDirectory, get_TickCount, get_TotalPhysicalMemory, get_TotalSize, get_UserName, get_Width, goTQRHyYo329fDA2ZmHpVIjxFauG8Fi3f, gp3LLOiNCsGlrZQtKhXipxcJMHT1Bi72mfeB0xL9aM2iSpW, gpP9jB66sPo5N051KSczKdkpA8kk2Gg8mhheNV1IjTxuIJx, h29YeJZa76kWpekMSb5pIUGT4Qeh0jBlAj3XwHBkwMCc6Zm, hJiVTk4e5Y6lguoUpnlESzFinoe2OGuUr, hLlB7JLiGtlVNEgXAVos91mzmbkd5t45t, hOGgxbePfVqyP0uHXUKtGxkrKsagAqW79, hOMUGuyajNfkJK6, hPBejPdJjcurz0D, hWndChild, hWndNewParent, he8hMUB9xP4Tdb4sB1viFfsI7Z86TBbVMdgWDXOimKlAgDI, hfY8NlpjpD4l9ZJ, hqHczMHTBr2wdOk, htdzDSg5CJBq9eU, hu0azV7vrQMEoYt, hufW2W6XGBoPIHa, hwfOhOeUxc8YfDM, hwtnSYuOqTMutNM, i8ByIziJG1pONyJyKjoVs2bX3X7E5AnHQ, iUmNPT53JnEtgZt, iqmjqsfABlP3KgEiG7dwIjp7gnFtStc5kl5bBGVzEJSFSMs, ir8WAl7YkzNrIetBbpGSJK6xti6KBJKlC, iz7xuqU3xgrz0TU7JxlXu75E4D6dAultL, j7UX6zEyhKYGPwrHcoVUOBlSOAyyN7cBisTi2PWIG0tIg7z, j8hXTtgqdtecDqN, jGZsoscHDgWoNsDCiKr2xZRJ2sSJK10K4, jPQEgLFaFZEgQVbmBkCHhwT8LPWqM65eV, jYG2x5T9AWlA7VwOE2Qk8tniOrk5wsIn9IZmfnhIqKsV6aS, jbEdx2UK4jpT6RLAWqUeCYfTA4M7RtTociTOMwBzUwegfyI, jemAocGkjisV56UYKHeERRISurNbLS7Y2, jfuDi0mhRvp7A09, jw7oLVhoUUgrI18k9LJxsBcKd1l1lGzYTjCypqhcXSwCVoY, k5FuzzTLxMAj8pLn8j0rFnTPhufUFfmFB, kDguDTfHtsE65aF, kFcn6xsDrfwZzCu, kV9xkwliwYDObKO, kckNJVKL8239bP6, kd5tnYCBE3s1RwN, kernel32.dll, kpQ4oIAcnZgamB7, krsYkW1gNrUfLBO, ksApFTQmn703yeT, l7dzhVeOXHpuPG9, lDnDFN37vboYNVw, lIifwNcVcP74592zNPeJZ14jkU6hVXfJlP1iJ1zAtCWp7FW, lKwgLXnJNy3gkzs, lM0Jr1fVxjq3Y8l, lO6ilwcXxftCRJ7TkvXH86hwz5xC8vOi4, lParam, lWxOKzLr37S16GwgDKUa80MZRKqG9I3Fc, lXsCJsqtlKiW7SSfyyz0IQGN2Dl7SMxoU, lZ7XdUHzfgQAZuqPyi7jBwQbxDqiBiW21ZofVLmSjxNfqwC, lZHivl2rXsp0Ixn, lsxPD7Xw205xO6Cyt9IKNatDApjKeQZx1, ly2qKh5KxPA4f4NdU4c6RMdlk5K0ZKj39t9WoN4ar5KcKlu, m4qUFCcorDdWO5P, m5fCwUNOgHOCMZWFXWNUvyQXli7eyHTq3, m_ThreadStaticValue, mctFsLhGzJVd5R1eHwtLwD9oenYse1qxw, mhwzgsf4NGNb2mm, mscoree.dll, n5VPjBN8W6aHnEM, n5se8qqKBlHszBKk2WB1GTUzIUFOT2ndw, nDAdQEj2gExjmpV45JEWwQRRhxXcm3oHsfgGv9K93UnoGtO, nG15IxDN0BsWZmVRt8Hs8RlrakcxosqrxeFq9yTOcALIpd2fZ4a3mDzypjQKkMwru2GBYpfyh, nLDPQa4XeTLNuA7, nUiWgUHrLhkQzrFmfTsA5bF8vy8W34Ua8LxKjyx0KwC2JpD, nXNQYeoH3QloBYX1SiflBIafqcazeGnPcTnjqEF3j2uvuxK, nYSxTsYRKBDnQoQqq57sICHrizNJ5AWywZ5QRSMZezjxGOP, na5PTb5VqiPCSzS, nblvckZv3OoXKYwDgCoGVGgctC4uBFd9sqFxogo3dYqErUX, netILEEeWKXhjBV, o2EFDvS2jix06CThe8L4Gk52NipKUxLbb, o355L3MaRtrPHGs, oBKHE30NpJZ1W4b69nCcijREOx4Haaym0, oJjTTkKR99xBPho, oLUYTChQruarFotpAm7gedqAKJBSNBh6t, oRZEWsFbKQ0sBdopD1eqA7X1TregjhKLn, od4wf6mwrs6yZ2URswo1Lz7wlp5cnj9KTb1riZ47UxOZEnI, op_Equality, op_Explicit, op_GreaterThan, oqBRSmAEbCTKB8kAvkghkuCXH3htEu3qd, p0KzutSSrGRYS61, p1GTRMTOpxEFI6cUECKpROYkdKOv9Pho4, p1p4FjghAxahBQuuPhamNwALe21VZW0TEkFmks5RiljKl7w, p2tWI9nY3NrenPyq9oDEgbnTofkfEmDJ1IFrnsAxZZFF1z7, pG22n7SSt7TAwcaAWk2zQcCvmcVbpVMO1, pHa5RUIWTJMi0SR, pOFVV389GNaHu7x, pivacuUiTqy4WVw, pnxYgtpAdJ4ZBI3, ppiegJjR8yr2kUijjFCKsnumTkRpOWpiuhiHDwXy5EGkY3y, psiN25kpSYmPRb4, ptutdTmYiOHEdxg, q4WBZwruvgHe7xXuVJW0vquKWYSfsgZDf, q4s2sj4DIHL6w1R, qEyx7geu6WTeZxW, qLGDgwRf6SynksbzGQActvcKYgG5xahQpqCHj6M7S7WR3qu, qnZLv7qvetBZd6W, qzIaOa8GXFtX9mH, r5F2UKdsZihALfpfSvBZf8iH2jd00JSlflsiNRpDvDK6p5t, rE7mW5YNDU153Hs, rF4NINZ1JW5gfokdpzWcEksB8N3Mr9nzh, rLsscZXZZbw81YU42JcEDrW8Sbf4pgad2T31fMDEnosm5h7, rSyryBUTEoQnOc3o2upIo7vAZ1npEcTbq, rXiJEbgSZYwBKvZfF40MDEOykUk65skO7, rdzgItpGJxM2CG7, rhyZGhGyxedrJh4, rjoyOiRAonx73rB09a7KCXoRZ2pPIobJj, rqWhDDl6l7hp0u1u5hIBbIPaB4fEq8bOL, rxbOqS0KJdIPevM, s6B4oDVzqjqxGElxUgAdg0IeJhSJCtwnAYIqo4BRpOgHZgs, sV5fj7bBdERaDOtGXdeG1IGhiebQConK0qgKRWSwXEshvok, sWNRWJE6QElePqSFmPlALWzwOWlh7rLoXdh1ZjrJRUJWzuJ, sdECclbV0DPLlGz, set_AllowAutoRedirect, set_Arguments, set_CreateNoWindow, set_ErrorDialog, set_Expect100Continue, set_FileName, set_Key, set_Method, set_Mode, set_ReceiveBufferSize, set_SecurityProtocol, set_SendBufferSize, set_Timeout, set_UseShellExecute, set_UserAgent, set_WindowStyle, sxZewKcgEnmuFPriBSqMdlA287aTFOrTe, tAz9i3IKEIg9jKi, tD4YRRiFYV48QZ0xFM3k00ymhyhCi6xRZsYmJeoZc98vU5e, tOGCSCg0ODODwao6ra1GmVStz7XPotQXd30DRpsxtd1GLT1, tSWBaopOjcws2V4WgIq6JD0YMp8kh0Lo4, tcRSVR2884AOqqs, tiT708UWkCWHEGRMWUujjIOwSGW2pij9WmXdxGxzQDdPpjE, tsFTVEfS3dDZXQKuuFzCVtOUmmizVj6e8PxQnILSn0yQGPt, tyLFsDi1Wn30A3NG2RC60pnkxvYTHZYyv, u9HVcKOstEAh2zZ, uF3eqJsFsvE7Jyi, uMYAd4dSl2bIJxrgcnb9hFNnufej9Wdv0, uRGTS5X8P5LgfjH, uW8MoeJVwcjPiWawwST12so61AIWry3vg, uYVQTjfKMda87Dv, ufDqjRZ8In6MT9j, user32.dll, utFdzo0jfVz0pUTfZVK7xWZxkYOOYO3o9, v9tfocbCQ57YWYb, vDcSQdnmvaC3cwX, vRqGcvmMF2xluId, value__, vi0k1y8EAY4BULgpQckDKM5KAJQ9eiUzX, vzguBptwgO2PLMW, vzqUngE9izbjMsWtUNnkfEKXgcPkshFJfeKIk8ZGUJho8Cp, w01dw9Pe70EdORRRrFTT9mAbgADmE50diLpjcRU2DnxRsBg, w0sexaaNB24jxUQ3I8OgkLV6pqPwHkRON, w6dhcO179nXvXoT, wAQgR7YLAb71X5lF8ikINhWT6s29vPMjj, wD8iBsPbWYyTfhh, wJ8BUkH4qoCcUMK, wNkz5JEYuGg9iaICBLVYvRfVRTcw4hRoi, wParam, wPnJBZITcqvKnCJrhJ1YCudgICRGzH5dv, wXpnWvXRN4H5Dnn, wY5yEl7F1QPAFTIVx1vGeWqWcVjShVATp, wfwLopRUJDzg1xg, whHJP84qAvZ8PVaBUjuGg3zS3IC3CxkF0E5Wihxa28Gn8cp, wpLmPiiIiKKjxLjNngOBmjGz1tXULz2cv, wve6agJwFCMVQUY, xAZykgnuTgtTxgr, xFdKa9Xf4MbLSXfS7fFgJc64ic70U3tzA, xIBD2tWdwsWxXzBl1Xqro1OXaz92B7VxW, xO7YGggFRAbU4SynIjvCSZcRjlPgnflrT, xQLdgQzexZi7hJb, xQXJ4p9gCwaU6M8uBAqlEl3A0isE3DNrW, xVHmplIiisgg2km, y1ylaVlkjjzraF5, y6F0WkvXuHMqlyT42ygxAXawAKIytmxUV, yC3vpfXJ46Dbqb1, yNDsiUFuXw1XUzN, yc64Io6J2rXeCUL, ydXQeSfNIjSq5VCRR1PnFkmloT6yf12pk, ylOLGUW5Sn8pxkAtiGHsOFyuXJSUCysNbTso1Czuyx40CP3, ylh0Qxg1WalNunQ, ynUPqj9FTioAA9C, yoOMSEqppeJZMKdrMq4FssOxZC2EDXWF4, yrMi0YOD6hvrrQw, yraDlyEuwvVE2uk, zBBsqBZlkT7aZst, zDWFaInlCJQYTsWUtayrLi7CxJebUSW9W, zESZm24cwPFe11pFIzIMeDaW6iqmecK8j3chk1EokZxEWCS, zF9T19aSbSUHKfIZi3YgxhFVvhjUYu4AH, zJJMUawTLcmGFHA, zdr4eLWmEeUVREP, zqoSirRTlyAmPrU, zr68YMAzBdMkYQA, zxMB3Nuy5NRXVxLwPUW3Dy0K0hFgfhv2o
🔤 Unicode Strings Detected
Unicode Strings Detected: 197 total items
wCmn1SuxWja0GijFZKNpkU1nDmOhx8FZjKItBYPpToor4Kx, 0rtvZVjv3BOI6yG56BNkrtFr3mmmAUS9Km21RRkybYl7DAw, cSzPArNE7cAbhOBq0M15kyjKOtRfX9s54U4zSmy3alMSO5W, dko2AYac2ybGq37Yi4iLkFeu0VscuHK5m9jkhD2fcX7F7xb, KDkRvKhDXkGIz3yLVALLEUfJ0SvQThE2NIHMxmsylRvh7J3, xfG8KyfVIGjtbdth96Pc9gOfSo1Fv7Tp7BAp4KAlyiCNXtv, YbphwUQCGf4p6QE7thhgOpG5AtyVZJ0BibnDVRfpMVBEWdc, 5dK/WfKkTg8VKszqpWPtwA==, +w7PazbNsNxQ8F3x5NfgMw==, ZKZPj7UZPQSXXp2AmCQ1cg==, LBFAs6E/T+lQ8c4ndQjXPQ==, 7zTE6gTyupOTMzLwynblgIOrateSxtyC/L/2oQJ7ql8=, NgY+AWUVQzQEzzk8IzmQBg==, Vksl/PLmmQE8vuyKsfFePw==, z0uyMhgtZlepmCbUPy2lOQ==, CqW2vfcryeVazyic, Qfu5DagpXW0Q3sNDv4Ao+BaL2t4t285gMzyN/PQwGj0vxL35718fhoU5VFqDrJvN, CSPfhGrotdkzWJCDzJVXHaYNJak2beq3zlH3NCBT4yJQR/CslKElGpBWrhbpAtDS, pCdpVSowuGo4ZLYDXad77g==, Atn16kfww9JHdZ7qqT8hHicnWD20Xq6LqOhxRxn32TZFXvzuwEEcQGkEPrX/Tjp/, OoAnJHzsmnVx66ri7+5vhw==, OhMy3pv5uTVVIepCXWOIeeHEFNbssaQGGs5j8DIv4DlI8m8, kf5x805LJGUJlqnI5HWAxJs0cb8riThM2xMlO42OQ0ZYWZ4, schtasks.exe, /create /f /RL HIGHEST /sc minute /mo 1 /tn ", /create /f /sc minute /mo 1 /tn ", SOFTWARE\Microsoft\Windows\CurrentVersion\Run, WScript.Shell, CreateShortcut, WorkingDirectory, New CLient :, OSFullName :, https://api.telegram.org/bot, /sendMessage?chat_id=, http://ip-api.com/line/?fields=hosting, Select * from Win32_ComputerSystem, Manufacturer, microsoft corporation, SbieDll.dll, k78nP2eePOkngGpV7hSxXzyjURzFAPxtgbJWkasHMGfrt5K, 2wQS5bM1yZKefByZL6QbjAxR5zI8rXW4GXbLaodsjXKUhZs, EcYW23gFU6VUw9LYdc0WNzSBJXeazyUR26BGiSpCO93vCl6, MciSNxcqRyTKEUR5YW0gXEDpPSkhGySBrHHM1WRoRJ4DevO, 32sQCOFUkjKkVoAPj3MDSoTboVkfmdpCkwp1Ps7RGWf3KOz, SuvUHh77H58vTzkLipgQUuRthQ2CHXSHwrXwtvW5XI3Sq8f, htiPSul3d5yP3HHSQL52zKyHB9dldiLbCNfUXITLKPbebGc, LuvSyaZyWwJ1n1RrISl44HrnoIOBrUTlT7Os9qTEQWRskv5, gHkPxWTxIe6pCoLWxQQCDZ7g0MghGUmjGnjIewxyQ9kTBPN, YBPygcHRWDhF774aefIvEqgDt1Eyxg0vaJGhGMzIKBR2CNq, ap8I43RSGxx77F5gL3XKl9tsoocKq1NLDjbYiYobUG0NUTh, mhDootgcfBP5KSMwjj9mmpuFit5KRMp8KIpcOBXq8mow6RC, ZeZYfmda8xpx9V1MzbyEqx9BuMQIcV8gGgt1gjEiT1Zh4aF, Ge8v9KMRcJkA2FNdxU9JV7DBiL0OAkDSXQrTjwyREFB1aI2, PzSY3tJb09rA2Suo1VjmfwiBnq79ayXeTgppy4HlqistoqU, Service Pack, \root\SecurityCenter2, Select * from AntivirusProduct, SELECT * FROM Win32_VideoController, Win32_Processor.deviceid="CPU0", xslUCa0FKMxj22Ps55JExz4iJjCcRkjOs42g6I9BQ580tcx, oAmG0cZ9B1ixXJSXG1Xg9cNXQYLJWdoxlyWfMfz76E4L2kf, bjgB9T2zvzvLishBltO0gjtbM4yZjZ2iTENr1WuPNWeNlCi, QZqvGCuyvOdVDKZjVhhsn6kQHGnXehHAqgandL6SVDCPqTZ, bjyM8NbbmcHMx19HMY3xaY6RlxWxEGldKoYhLi3dU0DGW4N, 8NPaBmiakVOgDTvkhwli9zkxI7GYxNJ9vNb2RrX9zwE0EzQ, sPTqj9LcBqPsOqjrSnCl2EgM10zTrI0mHj6b7datVerNTeF, Nstvnv6M1MW4KVenNxhurCts8fNghAUqLg6k6vz9r577jqT, iMTozpwKrJgPUW8z6QqJNLRxW4kqy4VgqZgqxF3OCjsvtTr, R0Il9EMc7ObyupbsGUSUnGUVsNlGJGwzI1Tw8rJ748fgDo5, XmV3S138Wmao0syqU21DYDLMPUENajkzr82j6F6IAQ639Uq, 7VNVD7FnfjD562fmO3naZvWVTGDqDGYExhxjPEeCZA2Yt7x, 19JuUjfPlIwe2g85rZaRD98yL1n1ZA5TSx5DdW7AZ5xevmL, lUaef6p3Mk80TqrTIXU1RrY5eQEDe2CDqSRKLOMQlEwhKPT, caC4Cph48Er64cTZAddVAnPq8CZDxZDcbHdypx8pEUqhrfc, pIXXWQwmbD8ZmZ7AZ8BRNaOvIEpTWD7Y9ICrOCiswMtRN0o, RjUknf1biizskiBZimmZX74UMlQCFOJ1D, cSjqezWJUhDEAhkV9qrezAUHgZgL85lPG, XszY9ElAtFKO5nLkNpD4e7qybCI0JFNno, 3dw7P83hvAtc9M5sqdZriocjdOhY6ocjQ, uzXvCqzu0VT3AYR5AHjZHTKHSu6pbaRjP, shutdown.exe /f /s /t 0, shutdown.exe /f /r /t 0, shutdown.exe -L, \drivers\etc\hosts, Modified successfully!, RemovePlugins, Plugins Removed!, Plugin Error!, powershell.exe, -ExecutionPolicy Bypass -File ", UT4aaEYr3wK7Yti6ProBQ7hre2jBCi9ag, cIX5nHbLUMb2r6lFqZkJ8NCN5uuJpH698, rTbwOlG5hLnW7ZuRg1w2qLhMC0NSQO67C, r54yRJvxjCiOr87rk7tI7ZSFN1XsFPJwC, DJ6uW9lGWZDXDtcgzA9WHovrqfqj5xswz, XCCMlWM29vKjbDuMeUgJBRoldkfENVpG7, K3XpKZRAxijwUuEZ5DEE1DQqXH47q4Box, U1GHjV0z1jiDc3rOjBf1R7tCaRAM9KVPc, d1m8Iy0ctiR3luc4ja5IYnmKjIbnaUvaX, QHEXDZdddw9D5Wpw0AenQcvP0wJ3AkoGl, REbs9i3HZT9e7ZKhONc2rBO5xzrYlHfgK, 7vyjnSbeymJJOkayvPRANQQsBN1sWI68D, ZH35jskC60hHsS9DC06zoBAq0hbwDtoco, JkeMwP2aghD4JlsZJje3U8ULCZyzwUIbr, T4DEgocXfoe2LdbjOWKvXXRRD16UZUdQe, POST / HTTP/1.1, Connection: keep-alive, Content-Type: application/x-www-form-urlencoded, Content-length: 5235, /delete /f /tn ", attrib -h -s, timeout 3 > NUL, ND5fblDD6NAYdA0tKVehOhC7ySWGc05YT, IIbC3xHXZMzBGzeHrv54qWEfxjoUcQI8X, wscript.shell, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, cmd.exe, /c start, IconLocation, &start explorer, J64dTrSkAxLox7Nv3CV9qoLCRF2ER3T0S, vt78EjKxLwRlas1yjVRaXz9fi3qJuApaD, mmi5svGJk1imoieuHrqOR5gJUCOtgNqsf, SAvb9SEOIpP6Swge01WZmFNq9vUFrcV95, MainWindowTitle, iewtEHtQmNsmFLoUZqbWGBTheqxDIqwZn, 8cp4rHx83F7i1DnupSsRiaiaGRubhUI1U, mY26IzhBAE3YSzp0mtvHxOXqvMtnpcIpj, Hk8TFKU1AqUj4C6uE1kG8BlYZEOtq1HyG, IgBNUJQtVuByAj8oDR3T1i0nRg7f6ieBK, lV2e6MyqO2DJLyfmjQhYSk9e3UqF28KEY, 38ScLeh1bjmDYAq23gcGdl1jBE70Ti5uN, 5NJgCQHMahskwJ4ZAJGvSvB16TaPyCHXj, hBtE7jxvCixnF7CMId9Y6pVNrf20vE6xB, QtP7MUnqWqmNA9gF60qJ3qP9tUFbxy9Cn, GBT1qtplg88wVbAQ6e4txIlHb0hhyA0fx, XyhqlR6CFrdpKN1szQ44URr2AffIrsGfo, pKkNnKntgTQA0dhFDOa4MCyd8R5tHf57H, 0Y91mIETN61lRPSgEJQCnKTdf7GtyP7Vk, WPpSiQnQ2Q5zJLogXVpjjMwTQwpVreTUz, ydlwmr4KsnKN408XtWNP1ThgtJEDGP1ck, npWiIThfaM3zEukBoeeGQVDSu9n6vxgb0, DBXKwxHFkVfRl493wFLQYwqU1MTZ46dbO, efUEAXMAnfVFXJLlo6ysSQaMzR2sHYJoW, DT0NIN9SoV3gE1buXL1jtxweI76pFgGi2, 9D916SXo4o3MFVpjSYmPVNhDdpKi6dLdB, mLSTYuyoAqbFWAWjonAEYlbI2PRkz7lJr, TRC20 Clipper, WwZpLFlaJFNivAQc1t9Ohx7PvQ1JnMpGM, Cut8raZkHcqCFBCS9Osm2rru7ROiIcN3m, TeNzacDDmU6f6WuMiAUPPaXgk9xKZpfAN, sMeDFYwBkgPG7lZd9qg1m0WV8zpojt6Z6, usfjatgdN5ZAwzjycXrMo2fj7V4nsPZzJ, amE4EbI3pBZhbdQII54ktuYRDuxWglSaZ, oAe8LZxmbEIDQrpiXGVEjlBGcAw8WZQdq, Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0, Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36, 8Tjg57yxYDrVQdbYyQtnATawNtTshzPUk, 59QjXC9pjE9N1u44Gc2xRgeSzLORxKsf4, 42bRKC1xkFcEWWDlhM1FA5StyCUmZAo9l, AkuEmDvKOFEjJCxczCB9tTxXwrjYsx7Ng, TCf7AGowEajyjTegNI1umM5i024eVeZ1y, hYwvMEV29KIub58GRZIga83i55NEod8a6, QTQU4ozoyarES0nRPBmVius509BtsQTLJ, McduXySpNbI11NoOGPs2i6zgINWJsG45j, f4oh0fh1z5qGYbKJAIX1g0zWvtDex6lcm, H1bj5vTxD6uK4l6fyqnjQqIY9Gv8bQS8w, zOQMzcSODRiKrX7DIPPOB4hn0M8ZiNtOf, r0Zha3vyjAGbwnZJeSjl2G4EOY250uiIj, 9uo1uh1FH7UZLT2Lf2k8ipxFViYJ2OXQ8, Ofpod6Sced7e4BxqDEOGulBll2FI8pGh4, CY0cInwRro8teS4XSG0KkOe2uPcCiNnQY, r7zu8hCzHc28eyywN6zMt9KfZ7lBryANG, jvozLrorgdztFkkWQtkq3duXhIpUXg0Ca, gufzgfIdzlL0mNGDBp8rglRdrWyiYyFsv, pHw5yv8rT8FeOUpebcC32M4kENmI4Ukka, bcUAmxWY0CsoUzRv50kB1CzTSxC7upMR2, 5xQbkCcrQu51WHUg9YKwkwHea8wOb9bWb, HMp8gLqoLXYz0l14PGKbfnWEKY3CoIzTO, NRWfVc6A9fof1PiUEkWcKYnZ3afFl7YkN, RWr4icBXHNTKgq826CgpY4FFpT2eAvaRO, LEV8IfZ3puwMkF2NZIb3m6C4N6IVy41lV, dFFx13nSRiiP6EtCycxnClz0YpBYLwcZE, l90HgSUSmtRHGPaKaEoF4cSexgx4HFn4g, gLHD3o68DbEO1LgF6cCafQR5EqMSlGZ9J, VS_VERSION_INFO, StringFileInfo, FileDescription, InternalName, VAL-VIP.exe, LegalCopyright, OriginalFilename, VAL-VIP.exe, ProductVersion, Assembly Version
Compiler & Build Environment
No compiler-specific DLLs detected (may use static linking or non-standard toolchain)

Language Runtime: .NET Framework


Binary is unsigned or has invalid signature
String Entropy Analysis
Analyzing extracted strings for encryption/obfuscation indicators
[OK] No suspicious high-entropy strings found (from string_entropy.py)
Analyzed 1329 strings total (from string_entropy.py)
Import Anomalies Analysis
Detecting suspicious imported functions and DLLs
[OK] Import anomaly score: 0/100 (from import_anomalies.py)
DLL Hijacking Detection
Checking for DLL side-loading and hijacking patterns

Relative Path LoadLibrary Calls


Detection: String pattern matching for relative path DLL loading


• kernel32.dll, SbieDll.dll, NTdll.dll, SHCore.dll, user32.dll, avicap32.dll, mscoree.dll


Relative Path References


Detection: Backward slash path pattern matching without drive letters


• HKEY_LOCAL_MACHINE\software\classes\, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Software\, HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\, HKEY_LOCAL_MACHINE\software\classes\., Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced


DLL Hijacking Severity: HIGH
Resource Section Analysis
Analyzing .rsrc section for embedded files and anomalies

Total resources: 12


[OK] Resource severity: LOW
Shellcode Patterns Detection
Sophistication Level: ADVANCED
API Resolution: 2 patterns (from shellcode_detection.py)
Detection: Keyword matching (LoadLibraryA, GetProcAddress) in binary strings
- Kernel reference: kernel32.dll
- Kernel reference: ntdll.dll
ROP Gadgets: 7 found (from shellcode_detection.py)
Detection: Opcode sequence scanning in .text/.code sections
Overlay Analysis
Detecting data appended beyond PE file boundaries
[OK] No overlay detected (clean PE boundaries)
Anti-Analysis Techniques
Detecting evasion and debugging prevention methods
Anti-VM Detection
Detection: 2+ VM detection techniques (CPUID, SIDT, VMware strings, etc.)
• VirtualBox (from anti_analysis.py), VMware (from anti_analysis.py)
Malware Sophistication: INTERMEDIATE
Persistence Mechanisms
Detecting methods for maintaining presence on system

Scheduled Task Detection


Detection: String matching for scheduler APIs and keywords


• schtasks (from persistence_detection.py)


Startup Folder References Detected


Detection: String pattern matching for startup folder paths


• get_StartupPath (from persistence_detection.py)


WMI Persistence Indicators


Detection: WMI keyword pattern matching in strings


• Win32_Process (from persistence_detection.py)
PERSISTENT MALWARE DETECTED (3 method(s))
Methods: Scheduled Tasks, Startup Folder, WMI Event Subscriptions
Mutex Analysis
Detecting mutex patterns and malware families
[OK] No mutex creation APIs found
Unified Threat Classification
Overall Threat Level: CRITICAL
Detection Confidence: 75%
Total Threats: 8 findings
Detection Engines: ANTI_ANALYSIS_DETECTOR, COMPILER_DETECTOR, COM_HIJACKING_DETECTOR, DLL_HIJACKING_DETECTOR, 
IMPORT_ANOMALY, MUTEX_DETECTOR, OVERLAY_ANALYSIS, PACKER_DETECTOR, PERSISTENCE_DETECTOR, RESOURCE_ANALYSIS, 
SHELLCODE_DETECTOR, STRING_ENTROPY, YARA_SCANNER

[1] CRITICAL - Ransomware_Generic
Source: YARA (Ransomware_Generic)
Evidence: Generic ransomware detection patterns

[2] HIGH - Rootkit_Indicators
Source: YARA (Rootkit_Indicators)
Evidence: Detects rootkit installation patterns

[3] HIGH - Anti-Analysis Evasion Detected
Source: Anti-Analysis Detector
Evidence: VirtualBox | VMware

[4] MEDIUM - Command_Execution
Source: YARA (Command_Execution) | YARA (C2_Communication)
Evidence: Detects command execution capabilities with obfuscation/hiding

[5] MEDIUM - Persistence_Mechanisms
Source: YARA (Persistence_Mechanisms) | Persistence Detector
Evidence: Detects persistence installation methods

[6] MEDIUM - Polymorphic_Signature
Source: YARA (Polymorphic_Signature) | Packer Detector
Evidence: Detects polymorphic engine signatures

[7] MEDIUM - Hooks_and_Detours
Source: YARA (Hooks_and_Detours)
Evidence: Detects API hooking and function detouring

[8] MEDIUM - String_Encryption
Source: YARA (String_Encryption)
Evidence: Detects encrypted/obfuscated strings

Packed:                [-] NO                    (various techniques)
C2/Communication:      [+] YES                   (8 YARA matches)
Persistence:           [+] YES                   (3 method(s))
Anti-Analysis/Evasion: [+] YES                   (anti-debug, anti-VM, timing checks)
Malware Complexity:    ADVANCED (5/6 indicators)


Analysis completed successfully

Generated by PE Malware Triage Tool 1.0.0 | Static Analysis Only | © 2025