Edit tour

Windows Analysis Report
BfwPdttqxH

Overview

General Information

Sample Name:	BfwPdttqxH (renamed file extension from none to exe)
Analysis ID:	679457
MD5:	d4278af4c129db3ea1c48d890304abd1
SHA1:	b6ca93a2c12c164a73339020070662b618723744
SHA256:	9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
Tags:	32exetrojan
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected AsyncRAT

Multi AV Scanner detection for dropped file

Creates executable files without a name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

BfwPdttqxH.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\BfwPdttqxH.exe" MD5: D4278AF4C129DB3EA1C48D890304ABD1)

powershell.exe (PID: 1748 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2360 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

BfwPdttqxH.exe (PID: 4684 cmdline: C:\Users\user\Desktop\BfwPdttqxH.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

BfwPdttqxH.exe (PID: 1508 cmdline: C:\Users\user\Desktop\BfwPdttqxH.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

cmd.exe (PID: 5712 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4228 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 5684 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5784 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

.exe (PID: 4336 cmdline: "C:\Users\user\AppData\Roaming\.exe" MD5: D4278AF4C129DB3EA1C48D890304ABD1)

powershell.exe (PID: 916 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5236 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

.exe (PID: 4180 cmdline: C:\Users\user\AppData\Roaming\.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

.exe (PID: 3356 cmdline: C:\Users\user\AppData\Roaming\.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

conhost.exe (PID: 2236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MpCmdRun.exe (PID: 1508 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "37.0.14.198", "Ports": "6161", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x166c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x140ff:$x1: AsyncRAT 0x1413d:$x1: AsyncRAT
00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1bd8f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x290db:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3a6ff:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1bcfd:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x29049:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3a66d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d094:$a2: Stub.exe 0x1d124:$a2: Stub.exe 0x2a3e0:$a2: Stub.exe 0x2a470:$a2: Stub.exe 0x3bf3c:$a2: Stub.exe 0x3bfcc:$a2: Stub.exe 0x1886f:$a3: get_ActivatePong 0x25bbb:$a3: get_ActivatePong 0x371df:$a3: get_ActivatePong 0x1bf15:$a4: vmware 0x29261:$a4: vmware 0x3a885:$a4: vmware 0x1bd8d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x290d9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3a6fd:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19686:$a6: get_SslClient 0x269d2:$a6: get_SslClient 0x37ff6:$a6: get_SslClient
00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1c64b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x29997:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3afa7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1c5b9:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x29905:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3af15:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d950:$a2: Stub.exe 0x1d9e0:$a2: Stub.exe 0x2ac9c:$a2: Stub.exe 0x2ad2c:$a2: Stub.exe 0x3c7e4:$a2: Stub.exe 0x3c874:$a2: Stub.exe 0x1912b:$a3: get_ActivatePong 0x26477:$a3: get_ActivatePong 0x37a87:$a3: get_ActivatePong 0x1c7d1:$a4: vmware 0x29b1d:$a4: vmware 0x3b12d:$a4: vmware 0x1c649:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x29995:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3afa5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19f42:$a6: get_SslClient 0x2728e:$a6: get_SslClient 0x3889e:$a6: get_SslClient
00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb1f3:$x1: AsyncRAT 0xb231:$x1: AsyncRAT
00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x95e3:$x1: AsyncRAT 0x9621:$x1: AsyncRAT
00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa133:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x166be:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x140f7:$x1: AsyncRAT 0x14135:$x1: AsyncRAT
Process Memory Space: BfwPdttqxH.exe PID: 5932	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BfwPdttqxH.exe PID: 5932	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: BfwPdttqxH.exe PID: 5932	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x861e7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: BfwPdttqxH.exe PID: 1508	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: BfwPdttqxH.exe PID: 1508	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x6569:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x24a5a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: BfwPdttqxH.exe PID: 1508	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6144:$x1: AsyncRAT 0x6176:$x1: AsyncRAT 0x1ca3e:$x1: AsyncRAT 0x1ca70:$x1: AsyncRAT 0x24b20:$s6: VirtualBox 0x24ad3:$s8: Win32_ComputerSystem
Process Memory Space: .exe PID: 4336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: .exe PID: 4336	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: .exe PID: 4336	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x10623:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: .exe PID: 3356	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x22086:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: .exe PID: 3356	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1334b:$x1: AsyncRAT 0x1337d:$x1: AsyncRAT 0x21c71:$x1: AsyncRAT 0x21ca3:$x1: AsyncRAT
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.BfwPdttqxH.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.0.BfwPdttqxH.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.0.BfwPdttqxH.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.0.BfwPdttqxH.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient
25.2..exe.294fda8.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.294fda8.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
25.2..exe.294fda8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1b957:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.294fda8.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1b8c5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x1d194:$a2: Stub.exe 0x1d224:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x18437:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x1badd:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1b955:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x1924e:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1b943:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1b8b1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x1d180:$a2: Stub.exe 0x1d210:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x18423:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x1bac9:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1b941:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x1923a:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1767f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28c8f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x175ed:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28bfd:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x18984:$a2: Stub.exe 0x18a14:$a2: Stub.exe 0x2a4cc:$a2: Stub.exe 0x2a55c:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x1415f:$a3: get_ActivatePong 0x2576f:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x17805:$a4: vmware 0x28e15:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1767d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28c8d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x14f76:$a6: get_SslClient 0x26586:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2945318.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2945318.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2945318.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1b82b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28b77:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3a187:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1b799:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28ae5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3a0f5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1cb30:$a2: Stub.exe 0x1cbc0:$a2: Stub.exe 0x29e7c:$a2: Stub.exe 0x29f0c:$a2: Stub.exe 0x3b9c4:$a2: Stub.exe 0x3ba54:$a2: Stub.exe 0x1830b:$a3: get_ActivatePong 0x25657:$a3: get_ActivatePong 0x36c67:$a3: get_ActivatePong 0x1b9b1:$a4: vmware 0x28cfd:$a4: vmware 0x3a30d:$a4: vmware 0x1b829:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28b75:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3a185:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19122:$a6: get_SslClient 0x2646e:$a6: get_SslClient 0x37a7e:$a6: get_SslClient
25.2..exe.2942a5c.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.2942a5c.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
25.2..exe.2942a5c.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1767f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28ca3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.2942a5c.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x175ed:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28c11:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x18984:$a2: Stub.exe 0x18a14:$a2: Stub.exe 0x2a4e0:$a2: Stub.exe 0x2a570:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x1415f:$a3: get_ActivatePong 0x25783:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x17805:$a4: vmware 0x28e29:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1767d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28ca1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x14f76:$a6: get_SslClient 0x2659a:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2952664.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2952664.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2952664.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
25.2..exe.2942a5c.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.2942a5c.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.2942a5c.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
25.2..exe.294fda8.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.294fda8.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.294fda8.6.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
25.2..exe.2931564.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.2931564.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
25.2..exe.2931564.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1b82b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28b77:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3a19b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.2931564.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1b799:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28ae5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3a109:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1cb30:$a2: Stub.exe 0x1cbc0:$a2: Stub.exe 0x29e7c:$a2: Stub.exe 0x29f0c:$a2: Stub.exe 0x3b9d8:$a2: Stub.exe 0x3ba68:$a2: Stub.exe 0x1830b:$a3: get_ActivatePong 0x25657:$a3: get_ActivatePong 0x36c7b:$a3: get_ActivatePong 0x1b9b1:$a4: vmware 0x28cfd:$a4: vmware 0x3a321:$a4: vmware 0x1b829:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28b75:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3a199:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19122:$a6: get_SslClient 0x2646e:$a6: get_SslClient 0x37a92:$a6: get_SslClient
Click to see the 35 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BfwPdttqxH.exe

Virustotal: Detection: 23%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\.exe	Virustotal: Detection: 23%			Perma Link
Source: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Virustotal: Detection: 23%			Perma Link

Machine Learning detection for sample

Source: BfwPdttqxH.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Joe Sandbox ML: detected

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "37.0.14.198", "Ports": "6161", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}

Source: BfwPdttqxH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BfwPdttqxH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 37.0.14.198 37.0.14.198

Source: global traffic

TCP traffic: 192.168.2.3:49763 -> 37.0.14.198:6161

Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198

Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000002.299907239.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: BfwPdttqxH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250C364	0_2_0250C364
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250E730	0_2_0250E730
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250E720	0_2_0250E720
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0510	0_2_06FB0510
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB90E8	0_2_06FB90E8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB5168	0_2_06FB5168
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0F08	0_2_06FB0F08
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB1DF8	0_2_06FB1DF8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB8A40	0_2_06FB8A40
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB46EC	0_2_06FB46EC
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB46D1	0_2_06FB46D1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB4693	0_2_06FB4693
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB8490	0_2_06FB8490
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB847F	0_2_06FB847F
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB45E8	0_2_06FB45E8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB45D8	0_2_06FB45D8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2578	0_2_06FB2578
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0500	0_2_06FB0500
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB43C8	0_2_06FB43C8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB43B9	0_2_06FB43B9
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB4188	0_2_06FB4188
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB4179	0_2_06FB4179
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB515B	0_2_06FB515B
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0EF9	0_2_06FB0EF9
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB3F80	0_2_06FB3F80
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB3F71	0_2_06FB3F71
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB5CE0	0_2_06FB5CE0
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2CD8	0_2_06FB2CD8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2CC8	0_2_06FB2CC8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB5CAD	0_2_06FB5CAD
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2C91	0_2_06FB2C91
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB1DAD	0_2_06FB1DAD
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2AD8	0_2_06FB2AD8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2AC9	0_2_06FB2AC9
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB8A30	0_2_06FB8A30
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB38D8	0_2_06FB38D8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB38D7	0_2_06FB38D7
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB38C8	0_2_06FB38C8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FBD848	0_2_06FBD848
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FBD838	0_2_06FBD838
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB09B0	0_2_06FB09B0
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB09A0	0_2_06FB09A0
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0ADD74B8	0_2_0ADD74B8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0ADD0040	0_2_0ADD0040
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0ADD86E0	0_2_0ADD86E0
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267C364	25_2_0267C364
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267E720	25_2_0267E720
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267E730	25_2_0267E730
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D74B8	25_2_0A5D74B8
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D0040	25_2_0A5D0040
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D001E	25_2_0A5D001E
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D86E0	25_2_0A5D86E0

Source: BfwPdttqxH.exe, 00000000.00000002.285752436.000000000AB90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.280149519.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.278438794.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000000.234523132.0000000000342000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCommonSecurityDescrip.exe: vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.285165562.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000009.00000000.274209542.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe	Binary or memory string: OriginalFilenameCommonSecurityDescrip.exe: vs BfwPdttqxH.exe

Source: BfwPdttqxH.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZgolgcKGNozdg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: .exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BfwPdttqxH.exe

Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File read: C:\Users\user\Desktop\BfwPdttqxH.exe

Jump to behavior

Source: BfwPdttqxH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe "C:\Users\user\Desktop\BfwPdttqxH.exe"
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe"
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe	Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File created: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@36/17@0/1

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: BfwPdttqxH.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, ejMMMDwLLjKzq/LtTbNDNFDJ.cs

Base64 encoded string: 'OlOq69vUs0qrY9sfe8nVzFk6ZIxT8BYvVbCG2Iz7nj/xNC11BFuqXaS9CCauYbpQVqOHuK4U2/gALe+toORIJg==', 'HfI6KH+7gAy83L5eZNHZjDjtPo7/B8I7ksbajOImZ2EmaSuH9/0EakbAg0tgbyR2P9JcxOW0Ar622IyJvYSwdQ==', 'SyFVR4uNhKocXRnQhm1ldqtUv2c46H8gQ9xYVj56GGJdW3xO/HaNbcBpRvTM+3M48NNedDjc6CmR+yj6K3/hJQ==', 'wF8b9CsOtkZPwIccMdvdK0ttlcxJ+j9XrFwfP1uL1RwJOQTJG6SHhxRvl44b7R6EZCaVc4SePo6VAOBiYcY0CzD5ehQ/MplsG7nGYv4JDobfXxLKbgH44T6zxBZTQRsWKbtApSXT9dz6gDgX/lD4gxOaZW2/iEs4fGJclwdzjD16J0u79Ffc7Tt8d2KODOl+KVsJs+G4Z6A8/x24Y6W+twOom13LKMxBrR2AXNhkBBVNQmgKMqygSRtVdun6UwzUX7ZiIHxWxusWdEnt/owqnoHqEiSmDzh2xQKqqquNRaKZsf5mNo/b0Qn3e77rz3qXZ/JScWK7J2FAzZwsbZPI2AKvDNh3pPNX4RHGKaCIDUPBjCnfOxeRzelIJwhFj6+9zWPdukVZ9c9npMwd9mCEFrBsbAp7640zwGnLQB2W6+k8iapCsG67lVigzDkepFizmCbaKxpQn1V1x0QGZJ0V+P9v/Uzyi35Q2gzKboFIg8owc1+j0i2xlxAKClis40ZRXTMNL8ZqAy/uY3qGVYpnerVMGoBCheSQvi8+Qu+yPVa5PQ1NsgagAV3kDRNxXsviUVFqd+bUwqq+zQy14NNFox4H8C87aNnM6HpZP8U3EqeXsOC+tB6ibRLYgU2DEjt/pIrT1EeVBYbMjprWU3izDVyVcQZaI2tqdviwg8RjOC+bwZ4xNtCtCXBS5tRADyPJ6SyhcK5tVT5EbXHTlOia9zzsRgIcHwWgoxamr/cI6cIya+lVvvk/sENQGRgR2NUJp/NOzIjyLLHmIo3/2HV2Luqv/ha4jf4PirhDc0liOc+I9Gbe52wk0qF+WTPUSXnNEOEg1Hx72nCTtKA9oBf3FGzwsrj7MZjzJXqeGapyd0PZXq8MFx7OGcbFX0DHh0xBZkqUqebSG9tEXiaJe9syVrynisO7uRgqFMp0kXLjC2C8Lb5fJzUaMF88sVgs/b/ryjiJmpysQYLCFgaGOESTVwx5JKvEMyXHmLQM/l9G+7ac576/7vdYCLQSDbxAeiq5aDuZn++RTgfk0v+YVkWk9nRs4tIPcHiA5i/7+t+bNDDqzdTmonIubovygKzaSdrIUMt4JdtmhZjyeKvMSgek3qJ7o6urABIrqmmUiDoEttHg/NvU4XSIJ6zumLC2h59sk+dp42D7i7CkHk8Q3Ldn318l52hbd6QesZnzkcqRdLXlFg4WGH93ftzEkXJt2SFoWDwFDCF39jImvvZCUSn3dyUNsFoUFolDRBGw2eQVzhnQJcZ8pRswsmXZWbLz2IwoKiPEwy7TKF9IyGeLL/Um8w+KKTQvjPlum19w6leDUpa4dgDz6CGAbr8F6PKU2p/JEsDSyAbg9uhbGVkH64bFHL5syGg+0gA5YwV/+TIgap4/lSV3kxh9r1KOKAqpJZwIBpuW/p0LXVSa8qvFW5nbKM008a0waXkSeCZU7JHdbZWceU1zmp5ATXI41vOeGdpizGNXgkdsC88seNKinWBlmGMKCAmGNTQSANaaHRCCrx0XDqQd6XgDVCUrWubP9BLTMlfWEBzN7VSrc1tCqR24hb4hvP5SLDHPZgmeg/eOxEPi5CLfw435ZUZcD4afImb2uc9Un7+8Fs4xQmnAqAZyBHI8hpp545xIw0f0p2hc8TcA8li9PHY78Bjhp+ayx3/gatJqfTw+hwJ5R98RodfcAjRKe/ElBcouSjP99JlldoiFDDDYkwqEENDZYrT2sP3SQLwxkzl8Y/E1BcMBQ7eboVo6L6EyUIcqR0u33Tt8+p5osoYfnO0V294vZSSZJUtOqOgyoIJMDMyvvqphGDv9wwYA5thG+Q0HxtHe2D0yxC3MmPjNmeUhSHN7JbcRBynq0skpYVrSQ4pHykQBaNItl44+VnQ7hnWVk68qSzTJQT1WCRW0YZJ1/FcR/aeFToSoPA6i421Q6cgt4gbE8p1QRsPykuBBaSke7KJWFj66brxjZmLD+KR3Kkycf+uetChEl7TrS+DVJFFh6XGEDfEvOSQIBRlNJ/zmwwpIF7OVTZnwEOD2w4+0M/r/Urs7LTKLjF1ifl/TJn5o013ZlFpPoON+aM50ic4TQUYo33iVaC9qmaNDvlt+fuVxBaF1nYaGHkphZscXK+ZQu/PuJHRBdRWjWU7tM0RM4vlPCyyOx+D0Uco7N0/VY0KQCv6EL0aWulNqlh+epReFTk5Kt0zvcDZ1wx/thTlZLe4qIT38hu+lhajmJy6Dw7hkVo/eh54uAq9lx5d+o9+ExiXgvo9wnyGVa8GAJqpWJF+oWBoTohR78TzKtAlSDIStlHCmao++ui+WRKTl54PWJP/9Nf6D+TR6uEbl04gcEhT75utqIRM=', 'jurqkpV4RNoBZmcjvtXZZghCHugRIcYGN32qAizCbKFIy9GhwU4BP7j2R88XCp/AIfYIpIRSqj/2VmkrKCcPkg==', 'xcoHQMaUePtysPL0GIc7NyNlNBJGy50GxXU8POFrBNV3MNvxFtT4Poy4+QAvV5D585tl87xV5FtjXBesOkI//A=='

Source: C:\Users\user\AppData\Roaming\.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_01

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""

Source: BfwPdttqxH.exe, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ZgolgcKGNozdg.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.BfwPdttqxH.exe.2c0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: .exe.9.dr, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BfwPdttqxH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BfwPdttqxH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BfwPdttqxH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: BfwPdttqxH.exe, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ZgolgcKGNozdg.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.BfwPdttqxH.exe.2c0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: .exe.9.dr, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, LqzYFxeCuXZpYA/nGuOiLeYKRcjh.cs	.Net Code: IlKRlVvntjjrs System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250F03A push eax; retf	0_2_0250F041
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250BB31 push E004B4A9h; ret	0_2_0250BB3D
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB6C59 push es; retn FB6Bh	0_2_06FB6C40
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB1D19 push es; iretd	0_2_06FB1D20
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267BB31 push E004BEA9h; ret	25_2_0267BB3D

Source: BfwPdttqxH.exe

Static PE information: 0x805C46C7 [Tue Mar 30 03:04:39 2038 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.355955012928353
Source: initial sample	Static PE information: section name: .text entropy: 7.355955012928353
Source: initial sample	Static PE information: section name: .text entropy: 7.355955012928353

Persistence and Installation Behavior

Creates executable files without a name

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File created: C:\Users\user\AppData\Roaming\.exe

Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	File created: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe			Jump to dropped file
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	File created: C:\Users\user\AppData\Roaming\.exe			Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, .exe, 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\BfwPdttqxH.exe TID: 5836	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe TID: 5856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4244	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe TID: 2916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe TID: 2136	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe TID: 3308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4656	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\.exe TID: 3776	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9039			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8452

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	File Volume queried: C:\ FullSizeInformation

Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: .exe, 00000019.00000002.342688617.0000000000983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\::b
Source: .exe, 00000023.00000002.517636332.0000000004EC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: BfwPdttqxH.exe, 00000009.00000002.307480033.0000000005039000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\O
Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Memory written: C:\Users\user\Desktop\BfwPdttqxH.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe	Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Users\user\Desktop\BfwPdttqxH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Users\user\Desktop\BfwPdttqxH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Users\user\AppData\Roaming\.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Users\user\AppData\Roaming\.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	111 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	121 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BfwPdttqxH.exe	24%	Virustotal		Browse
BfwPdttqxH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\.exe	24%	Virustotal	Browse
C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	24%	Virustotal	Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.0.BfwPdttqxH.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000002.299907239.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.0.14.198	unknown	Netherlands		198301	WKD-ASIE	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679457
Start date and time: 05/08/202220:23:10	2022-08-05 20:23:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BfwPdttqxH (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@36/17@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 93% Number of executed functions: 112 Number of non-executed functions: 32
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target .exe, PID 3356 because it is empty
Execution Graph export aborted for target BfwPdttqxH.exe, PID 1508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:24:17	API Interceptor	1x Sleep call for process: BfwPdttqxH.exe modified
20:24:23	API Interceptor	83x Sleep call for process: powershell.exe modified
20:24:44	API Interceptor	1x Sleep call for process: .exe modified
20:25:43	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
37.0.14.198	JskVxLfvZF.exe	Get hash	malicious	Browse
	new order #019_U2117.exe	Get hash	malicious	Browse
	Dhl Shipping Documents AWB 9350261742.pdf.exe	Get hash	malicious	Browse
	New order #019_U2117,pdf.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Scr.MalPbsgen1.30982.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.3237.exe	Get hash	malicious	Browse
	payment of invoice no23562.exe	Get hash	malicious	Browse
	Product Inquiryy 692022.exe	Get hash	malicious	Browse
	MY RESUME.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WKD-ASIE	RFQ - 0740089380 WIpak Oy July.xlsx	Get hash	malicious	Browse	37.0.14.206
	JskVxLfvZF.exe	Get hash	malicious	Browse	37.0.14.198
	iNRzZQAxcL.exe	Get hash	malicious	Browse	37.0.14.212
	PO -002784.xlsx	Get hash	malicious	Browse	37.0.14.206
	85m6riZZ9Q.exe	Get hash	malicious	Browse	37.0.14.206
	OBTLWkeJIt.exe	Get hash	malicious	Browse	37.0.14.206
	5E440E04F382464DB10245C9F730D64D839368EF763BB.exe	Get hash	malicious	Browse	37.0.11.8
	quotation request doc.exe	Get hash	malicious	Browse	37.0.14.195
	Ys8Dl5TmVW.exe	Get hash	malicious	Browse	37.0.8.138
	PAYMENT.EXE.exe	Get hash	malicious	Browse	37.0.14.199
	xQIsUZqJ4i.exe	Get hash	malicious	Browse	37.0.14.196
	n4nBmx03cQ.exe	Get hash	malicious	Browse	37.0.11.164
	PO No.27485758Julu763773782999999299292922.exe	Get hash	malicious	Browse	37.0.14.203
	F735CF911B0F9914977D9DA28E834447E4100EC8A2D5E.exe	Get hash	malicious	Browse	37.0.8.39
	Contract Wipak Oy 2022.pdf.exe	Get hash	malicious	Browse	37.0.14.206
	PO-92059.doc.exe	Get hash	malicious	Browse	37.0.14.206
	PO-92059.doc.exe	Get hash	malicious	Browse	37.0.14.206
	AA79B859945459FD6D1363C35E68C9D2674A78F1FDEE0.exe	Get hash	malicious	Browse	37.0.10.214
	PO#15032016-A0019754456777765.exe	Get hash	malicious	Browse	37.0.14.203
	Payment Advice.exe	Get hash	malicious	Browse	37.0.11.227

Process:	C:\Users\user\AppData\Roaming\.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1750
Entropy (8bit):	5.3375092442007315
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
MD5:	92FEE17DD9A6925BA2D1E5EF2CD6E5F2
SHA1:	4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
SHA-256:	67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
SHA-512:	C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BfwPdttqxH.exe.log

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1750
Entropy (8bit):	5.3375092442007315
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
MD5:	92FEE17DD9A6925BA2D1E5EF2CD6E5F2
SHA1:	4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
SHA-256:	67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
SHA-512:	C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22312
Entropy (8bit):	5.6017760530946585
Encrypted:	false
SSDEEP:	384:XtCDR7k0X8aiBQrnIS0nMjultI+HpaeQ99gRcxmT1MaLZlbAV7B/JcZBDI+Bo:ugBCITMCltxJat8RdCqfwtGVI
MD5:	706BF368BF41FC0C490878E2ADA9D7FB
SHA1:	9163B4C4C5C8B74749F97A632F1E417793FBBB5B
SHA-256:	087AA3BF3DD568E4E9D603F6913B584316B55D805CF2E6E359F9927CA720BEB8
SHA-512:	1E4D6DEE39B77F5E9515D218B9983C4E186866EF49D614CE06D33AF7ADAD8B9A77BCBE667F1268E9DEC68C2EB6636FADFE3000450FE1974B1E4E2511D70B9FE5
Malicious:	false
Preview:	@...e.....................o.%.......T... .s..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dc33iso.2wh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qidwwvk3.wko.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3bd04b3.uye.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxtn0rnf.2ib.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.152940532036133
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTKv
MD5:	C1CE3B34B343D23210BE2315F10F6BD4
SHA1:	9F5FB230FF5A381EF31767BA6D63F8121D77EB43
SHA-256:	632E8FBEE2BEC3E0317733FF1F15F085C9F315DB7809DC1E47B86AE00C0E402F
SHA-512:	1BD66EE0E59FCF0814EB422A9A8F85BED743273B33409CA167DAB89DD8769CCC89D8B0D96F0F5820DFA923348286D0E8E85E828EB36E460189D1D6CA2ADF0BC7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpD691.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.152940532036133
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTKv
MD5:	C1CE3B34B343D23210BE2315F10F6BD4
SHA1:	9F5FB230FF5A381EF31767BA6D63F8121D77EB43
SHA-256:	632E8FBEE2BEC3E0317733FF1F15F085C9F315DB7809DC1E47B86AE00C0E402F
SHA-512:	1BD66EE0E59FCF0814EB422A9A8F85BED743273B33409CA167DAB89DD8769CCC89D8B0D96F0F5820DFA923348286D0E8E85E828EB36E460189D1D6CA2ADF0BC7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.062292143444952
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViEaKC50CSmqRDWXp5cViE2J5xAInTRIKWcoL1ZPy:hWKqTtT6WXp+NaZ50Zmq1WXp+N23fTrh
MD5:	20D2911EEB8394C37C85158E016A0465
SHA1:	FD49319833F2F4F14E56534A5BBF021C979E2701
SHA-256:	8AA8C51283BBAF49D7EC8CD207873285A89D982F06785828915D64DB1129244E
SHA-512:	D081F982072A7043887B85C6C502791AC9D8522C5FCD281814775CBD4082599D8103B0942B3660CF4EB1912E87929512CC8F60A6A52D820E30187850014D79BC
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpE3E2.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\.exe

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	7.350942080201485
Encrypted:	false
SSDEEP:	12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
MD5:	D4278AF4C129DB3EA1C48D890304ABD1
SHA1:	B6CA93A2C12C164A73339020070662B618723744
SHA-256:	9D19DE1D4BE447775E3345EAE357A9571BD86A607EAF25DF48A6840ACBC390CC
SHA-512:	807C9A5242A831F2F70E8A949A11C58CFE79B9438A7C2D5484CE899CEF6F2F8574F7B03A8D896B5E6473669738266CB04B1B0F9C5E63D85C4C2A00E132B9DCC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 24%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F\...............0.................. ........@.. ....................................@.................................\...O...................................@................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@...PP......$......................................................}.....(.......(......{.....o.........0..w........r...p..s.......~O.....o.....r$..p..B....(.......s........o......s..........o......{......o........&........,..o...............Tc..........]k.......0..:.........o ........,+..{....o!...o"....o#...o$....B......(.........0..n........r...p..s........o.....r...p..B...(%.......(&.....B...('......s......o(.....r...p()...&...&........,..o................KZ..

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	7.350942080201485
Encrypted:	false
SSDEEP:	12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
MD5:	D4278AF4C129DB3EA1C48D890304ABD1
SHA1:	B6CA93A2C12C164A73339020070662B618723744
SHA-256:	9D19DE1D4BE447775E3345EAE357A9571BD86A607EAF25DF48A6840ACBC390CC
SHA-512:	807C9A5242A831F2F70E8A949A11C58CFE79B9438A7C2D5484CE899CEF6F2F8574F7B03A8D896B5E6473669738266CB04B1B0F9C5E63D85C4C2A00E132B9DCC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 24%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F\...............0.................. ........@.. ....................................@.................................\...O...................................@................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@...PP......$......................................................}.....(.......(......{.....o.........0..w........r...p..s.......~O.....o.....r$..p..B....(.......s........o......s..........o......{......o........&........,..o...............Tc..........]k.......0..:.........o ........,+..{....o!...o"....o#...o$....B......(.........0..n........r...p..s........o.....r...p..B...(%.......(&.....B...('......s......o(.....r...p()...&...&........,..o................KZ..

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.c1En_sl3.20220805202448.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5798
Entropy (8bit):	5.410872515008515
Encrypted:	false
SSDEEP:	96:BZYhdNwqDo1ZsZMhdNwqDo1Z3P5XjZwhdNwqDo1Z1innaZ9:G
MD5:	AF8EAD164BD6A94818BE40733782624B
SHA1:	86A8F8065E2DDA3E5DD7A9E8B2E35DA8B982CEA6
SHA-256:	0D5E2430B9431E5CC87FBF4E74FCA20AD1569A9CF266C57692DC80893D3E5488
SHA-512:	FB9BE0EFA1E576182ED86026C3DB44CE0497EAA68A5237A29B544688EBD3EFE9E2EF3735D8559EFCF225E80584D3460469922A97DE2C619A0AEC996189115E62
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220805202449..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..Process ID: 916..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220805202449..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..********************..Windows PowerShell transcript start..Start time: 20220805202904..Username: computer\user..RunAs User: computer

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.v9r7NV+a.20220805202421.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5801
Entropy (8bit):	5.411757839217602
Encrypted:	false
SSDEEP:	96:BZJhdNoqDo1Z5Z7hdNoqDo1Z9P5XjZdhdNoqDo1ZoinnvZA:X
MD5:	1A03A3E434CC299FA1E9A277DB8517E8
SHA1:	0BC8A930029AC6574616DE1BAD1F672938C35783
SHA-256:	F9B62836023539D552AF384A8100090FAE4C8590D2948D8501FC391639AD49DE
SHA-512:	54476AB7B23868ABCE8B089422B8A861F07D801BEACE33DA4E187BF11884CD71BD7A6BC99C0F27034A7EC41BD360C4293EA74201F7141D0EBE47C326AEF3E112
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220805202422..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..Process ID: 1748..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220805202422..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..********************..Windows PowerShell transcript start..Start time: 20220805202815..Username: computer\user..RunAs User: DESKTOP-716T77

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.164173951604669
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zu+e:j+s+v+b+P+m+0+Q+q+F+e
MD5:	7348401F64247D0E1CBEFF9389397F09
SHA1:	29469747E7C077375051373F2353CB8C3332A73A
SHA-256:	7698074830824D745986D9499E756FB505C46118BEF38B3B3317D3572726C298
SHA-512:	8EA31EAE7D517653A0553402CF693975371793E0157FC20FA5715184248402BFFE807E698AF5926DC609D3E4EF7E8E5F983B8AFB037B03CB29C1A0A09CF4A1D8
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.350942080201485
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BfwPdttqxH.exe
File size:	631296
MD5:	d4278af4c129db3ea1c48d890304abd1
SHA1:	b6ca93a2c12c164a73339020070662b618723744
SHA256:	9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
SHA512:	807c9a5242a831f2f70e8a949a11c58cfe79b9438a7c2d5484ce899cef6f2f8574f7b03a8d896b5e6473669738266cb04b1b0f9c5e63d85c4c2a00e132b9dcc2
SSDEEP:	12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
TLSH:	52D40295B2EB9B23E9784FF2B42152644770A03F956BE24E5C893CFB55B1B134B80B43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F\...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x49b6ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x805C46C7 [Tue Mar 30 03:04:39 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec eax
xor al, 46h
pop edx
push esp
inc edi
inc ebx
pop eax
cmp byte ptr [edi], dh
pop eax
xor al, 38h
inc edx
inc esi
aaa
xor al, 47h
inc edx
xor eax, 00003838h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b65c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9b640	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x996cc	0x99800	False	0.7814647165105864	data	7.355955012928353	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x5ec	0x600	False	0.4283854166666667	data	4.1832179829896345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9e000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9c090	0x35c	data
RT_MANIFEST	0x9c3fc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 20:25:00.649559975 CEST	49763	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:00.677119970 CEST	6161	49763	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:01.218621969 CEST	49763	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:01.246222019 CEST	6161	49763	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:01.828075886 CEST	49763	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:01.855520010 CEST	6161	49763	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:06.867600918 CEST	49768	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:06.895004988 CEST	6161	49768	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:07.548412085 CEST	49768	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:07.575721979 CEST	6161	49768	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:08.094209909 CEST	49768	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:08.122539997 CEST	6161	49768	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:13.297027111 CEST	49774	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:13.324470043 CEST	6161	49774	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:13.985409021 CEST	49774	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:14.012593985 CEST	6161	49774	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:14.594739914 CEST	49774	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:14.622123003 CEST	6161	49774	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:19.653361082 CEST	49777	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:19.680777073 CEST	6161	49777	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:20.298470974 CEST	49777	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:20.326313972 CEST	6161	49777	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:20.985925913 CEST	49777	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:21.013403893 CEST	6161	49777	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:26.024643898 CEST	49779	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:26.052314043 CEST	6161	49779	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:26.642718077 CEST	49779	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:26.670074940 CEST	6161	49779	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:27.345860004 CEST	49779	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:27.373054981 CEST	6161	49779	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:32.378705025 CEST	49794	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:32.406044006 CEST	6161	49794	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:32.987075090 CEST	49794	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:33.014451981 CEST	6161	49794	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:33.596462965 CEST	49794	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:33.623859882 CEST	6161	49794	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:38.629328012 CEST	49807	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:38.656769037 CEST	6161	49807	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:39.315737009 CEST	49807	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:39.343333006 CEST	6161	49807	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:39.932595015 CEST	49807	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:39.960140944 CEST	6161	49807	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:44.973624945 CEST	49814	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:45.000778913 CEST	6161	49814	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:45.504049063 CEST	49814	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:45.531956911 CEST	6161	49814	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:46.035042048 CEST	49814	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:46.062295914 CEST	6161	49814	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:51.068294048 CEST	49819	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:51.095670938 CEST	6161	49819	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:51.598002911 CEST	49819	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:51.625327110 CEST	6161	49819	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:52.129281044 CEST	49819	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:52.156703949 CEST	6161	49819	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:57.174474001 CEST	49833	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:57.201643944 CEST	6161	49833	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:57.707907915 CEST	49833	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:57.735132933 CEST	6161	49833	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:58.239228964 CEST	49833	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:58.266422987 CEST	6161	49833	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:03.272723913 CEST	49848	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:03.300067902 CEST	6161	49848	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:03.802263975 CEST	49848	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:03.829683065 CEST	6161	49848	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:04.333569050 CEST	49848	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:04.362463951 CEST	6161	49848	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:09.367032051 CEST	49849	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:09.394157887 CEST	6161	49849	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:09.896497965 CEST	49849	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:09.923904896 CEST	6161	49849	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:10.427694082 CEST	49849	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:10.455108881 CEST	6161	49849	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:15.459968090 CEST	49850	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:15.487970114 CEST	6161	49850	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:15.990724087 CEST	49850	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:16.018672943 CEST	6161	49850	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:16.522026062 CEST	49850	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:16.549967051 CEST	6161	49850	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:21.554250956 CEST	49852	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:21.581816912 CEST	6161	49852	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:22.084964037 CEST	49852	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:22.112504005 CEST	6161	49852	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:22.616478920 CEST	49852	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:22.644006014 CEST	6161	49852	37.0.14.198	192.168.2.3

Target ID:	0
Start time:	20:24:07
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BfwPdttqxH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BfwPdttqxH.exe"
Imagebase:	0x2c0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	20:24:20
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Imagebase:	0x950000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	20:24:20
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	20:24:20
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp
Imagebase:	0xab0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	20:24:21
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	20:24:24
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BfwPdttqxH.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\BfwPdttqxH.exe
Imagebase:	0x2b0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	20:24:25
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BfwPdttqxH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\BfwPdttqxH.exe
Imagebase:	0x6f0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	16
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'
Imagebase:	0xab0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	20
Start time:	20:24:35
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	22
Start time:	20:24:36
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x13b0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	20:24:40
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\.exe"
Imagebase:	0x360000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, Virustotal, Browse

Show Windows behavior

Target ID:	29
Start time:	20:24:46
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Imagebase:	0x950000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 1532, Parent PID: 916

General

Target ID:	30
Start time:	20:24:47
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	31
Start time:	20:24:47
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp
Imagebase:	0xab0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	32
Start time:	20:24:48
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	34
Start time:	20:24:51
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\.exe
Imagebase:	0x3d0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	35
Start time:	20:24:52
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\.exe
Imagebase:	0x470000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen

Show Windows behavior

Target ID:	43
Start time:	20:25:42
Start date:	05/08/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	44
Start time:	20:25:42
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	128
Total number of Limit Nodes:	6

Executed Functions

Function 06FB8A40 Relevance: 2.8, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hh/v, xrefs: 06FB8CFD
hh/v, xrefs: 06FB8CEF

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: hh/v$hh/v
API String ID: 0-3244231521
Opcode ID: a54877283b09a8df474a7ee440816e4f4972e488de4546b44c089494a4746dc5
Instruction ID: abc93b5a36e11c92abde87d7b065a8247c604e75c42450e6329d65730aa943d6
Opcode Fuzzy Hash: a54877283b09a8df474a7ee440816e4f4972e488de4546b44c089494a4746dc5
Instruction Fuzzy Hash: ECB1F575E05219DFDB58CFA6D8805DEFBB6FF89340F10A42AD425AB254DB349906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0ADD74B8 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 0ADD798A

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: c3d1ab16fa7f99a4e7cf3aff6ca1f8063be57267e43ed4d40381512e9800545a
Instruction ID: 91b6eb82b81f5db1d2e15f92fc1e863ad9b00a300248e0b4b826aa7336d8fe3a
Opcode Fuzzy Hash: c3d1ab16fa7f99a4e7cf3aff6ca1f8063be57267e43ed4d40381512e9800545a
Instruction Fuzzy Hash: B1A2C574A00628DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06FB8A30 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

hh/v, xrefs: 06FB8CFD

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: hh/v
API String ID: 0-845706764
Opcode ID: dc2b4c6e79d4be409c58f10b0b9c171414241447ebd373769ac8fbdf3561245f
Instruction ID: 0c7f4c124346804a5f798bfcee0cee0139fb8a07b70b476697d25be803e9385f
Opcode Fuzzy Hash: dc2b4c6e79d4be409c58f10b0b9c171414241447ebd373769ac8fbdf3561245f
Instruction Fuzzy Hash: 66A11775E05219EFDB58CFA6D8805DEFBB6FF89340F14942AD025AB2A4DB349906CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06FB5168 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

lMS, xrefs: 06FB54FD

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: lMS
API String ID: 0-3710321204
Opcode ID: 3329e2df6f07d6847fd54a98116d454a3c2f79eb7561618f7ec5b04fc66ca27e
Instruction ID: 82ce66a9baeb3651d4d0cad7439ee2111f41f8ec4602d4a3197ba85ab2db23d6
Opcode Fuzzy Hash: 3329e2df6f07d6847fd54a98116d454a3c2f79eb7561618f7ec5b04fc66ca27e
Instruction Fuzzy Hash: 9191D674E01228CFDB68DF66C950B9DB7B3BF89200F1091A9D409A7355DB349E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06FB515B Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

lMS, xrefs: 06FB54FD

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: lMS
API String ID: 0-3710321204
Opcode ID: 8174510998b4b7ca141176446d48cce5c25f6fe99359e37f8f9ca928e710d6b4
Instruction ID: 9f1641f8bdb5f45da592f10219db77f556b95ea90838b708fb18592c4e25f11f
Opcode Fuzzy Hash: 8174510998b4b7ca141176446d48cce5c25f6fe99359e37f8f9ca928e710d6b4
Instruction Fuzzy Hash: A581C374E01228CFDB68CF6AD950B9DBBB3BF89300F1491AAD409A7355DB349A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0F08 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

up^, xrefs: 06FB0FAB

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: up^
API String ID: 0-3666456264
Opcode ID: 958a7ceac0821f531e948f9fd965d674d6da8d211c792036a0f6c1d5ac8e7b6e
Instruction ID: 195828f6887f8ba8d546eb4717e8afd15df5a06813229926e3012a66752310d1
Opcode Fuzzy Hash: 958a7ceac0821f531e948f9fd965d674d6da8d211c792036a0f6c1d5ac8e7b6e
Instruction Fuzzy Hash: A021C471E006188BEB18CFABD9542DEFBB7AFC9310F14C16AD909A6258DB741A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0EF9 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

up^, xrefs: 06FB0FAB

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: up^
API String ID: 0-3666456264
Opcode ID: 8412f18620b1640ec9883afbdc36d56f72e3d7998c96f23c4f2708fcb7525846
Instruction ID: a0b63ae24a72eeba5d6b28615159dba08494fb91775db512e69840318498eb72
Opcode Fuzzy Hash: 8412f18620b1640ec9883afbdc36d56f72e3d7998c96f23c4f2708fcb7525846
Instruction Fuzzy Hash: F621E4B1E016188BDB58CFA7D9542DEBBB3AFC9300F14C16AD408A6268EB745945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06FB1DAD Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57096b2349603d72455daf31f5dfbc8d6e22aaf5c853f5ac7771d842e0a8314b
Instruction ID: e2381096ce1c987617c0428171e3bc52afaa531cd035d4992a3bb2c6976e0579
Opcode Fuzzy Hash: 57096b2349603d72455daf31f5dfbc8d6e22aaf5c853f5ac7771d842e0a8314b
Instruction Fuzzy Hash: BCD15B70E0520ADFCB44CFA6C8908EEFBB6FF89340B14955AE415AB315D734AA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB1DF8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6b65ae7506c0628661af1f70aed78de332bfc5219f75aebb1f0bfca456cb94
Instruction ID: 8e91d1a89c9df416c9f8b3da3788862590381709979ab34085b8869c0fc47ad7
Opcode Fuzzy Hash: 9d6b65ae7506c0628661af1f70aed78de332bfc5219f75aebb1f0bfca456cb94
Instruction Fuzzy Hash: FCC127B4D0420ADFDB44CFA6C5918EEFBB6FF89340B149559D416AB354C738AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2578 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48d5e04392548e19d5e5170778a464e8498a87931150029a5fbda17daff700c
Instruction ID: 2672cea6df4dfba3936c591d5e999ce860403f5e3512c644e2852d336f2d704b
Opcode Fuzzy Hash: e48d5e04392548e19d5e5170778a464e8498a87931150029a5fbda17daff700c
Instruction Fuzzy Hash: CA513578E00219DFCB44CFA9C9949EEFBF2FF89210F049496D905AB365D7349A018F91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0500 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c8798fd5dbd8049b57a9d1c3730000807a2c0dd70eb342e9771375be61a4f6
Instruction ID: dede3189eb95c443bd2588107f8bd4dd3793b617ad468f421467ae2ac568edf5
Opcode Fuzzy Hash: 15c8798fd5dbd8049b57a9d1c3730000807a2c0dd70eb342e9771375be61a4f6
Instruction Fuzzy Hash: 4D510BB1D052099FDB48CFAAD9506EEFBF2EF89300F14D06AD415A7254DB348A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0510 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c99b83e7b82811ab11ed71fee8e9634d55711d10633ddbde0f5c88a6c878df
Instruction ID: d782fbc2b9e535d60e00d9b6e87bf49bac1ca168ba59a36558f147d7efa05227
Opcode Fuzzy Hash: d5c99b83e7b82811ab11ed71fee8e9634d55711d10633ddbde0f5c88a6c878df
Instruction Fuzzy Hash: A651FA71E042099FDB48CFAAD9506EEFBF2EF89300F14D06AD415A7254DB349A41CF98

Uniqueness

Uniqueness Score: -1.00%

Function 06FB90E8 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab675d1ef9cb23f09fd1c33f131d4e6a201dfdf1a2e05234d15788e7f218db9
Instruction ID: 22c017b25757c9ed6b7f8c896c3a026edf353e4acf1a324850fba72bbb198f38
Opcode Fuzzy Hash: 6ab675d1ef9cb23f09fd1c33f131d4e6a201dfdf1a2e05234d15788e7f218db9
Instruction Fuzzy Hash: E251F2B4E012199FCB04DFAAD5849EEFBF6BF89300F18D569E408A7355D734A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEE74 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06FBF0B6

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b4e62a881702fd3b0a2479a0d7c46e00719b1e3655938593d93e9201cb75e390
Instruction ID: 3cdea104eca14cb6c391065b1b8d700f38c9b5e81d2a843057f8b4bc26b267e3
Opcode Fuzzy Hash: b4e62a881702fd3b0a2479a0d7c46e00719b1e3655938593d93e9201cb75e390
Instruction Fuzzy Hash: 93A16A71D01259CFDB60CF69CC81BEEBBB2BF48314F148569E818A7290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEE80 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06FBF0B6

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3bd0e6bf2e55396bc6b3ded0fc86ee8eb1cc0c500aa5b860a184201d9f3d5380
Instruction ID: 9c1bd1fc78ab3c07aaf627db831dc82e17ec17645e09b601f8260ae3fdfef10d
Opcode Fuzzy Hash: 3bd0e6bf2e55396bc6b3ded0fc86ee8eb1cc0c500aa5b860a184201d9f3d5380
Instruction Fuzzy Hash: C6915871D01219CFDB60CFA9CC81BEEBBB2BF48314F148569E818A7290DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02505364 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02505421

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b77a662a85f7d93a30531f16a31a6c27783af41e603ce8455d5caa5a5f4fc874
Instruction ID: c357931a62a554aeacdda837a0ee6697e4a42055304c6b7039424573e2089617
Opcode Fuzzy Hash: b77a662a85f7d93a30531f16a31a6c27783af41e603ce8455d5caa5a5f4fc874
Instruction Fuzzy Hash: 3B410571C00618CFDB14DFAAC9847DEBBB5BF48308F648469D409BB660E7756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 025038A8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02505421

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 45f34d2ce5b03785841332b8714c12255b98e0f117259112562b6937adaf0bc0
Instruction ID: 670f9b406cbdef0de485d39f41fddc1833200f9589262b324758d63cf5f58601
Opcode Fuzzy Hash: 45f34d2ce5b03785841332b8714c12255b98e0f117259112562b6937adaf0bc0
Instruction Fuzzy Hash: D641F371C00218CFDB24DFAAC9847DEBBB5BF48308F608569D408BB661E7756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEB30 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06FBEBC8

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8b276f3c93936148ababd72fc9caffadb64962af51f5f74c1e1ee3fc20e4cb54
Instruction ID: 1792a80e9a014aa96791e53ab7eed46ebcfa6ddd5e7c177a1cb747f16cf0e7c4
Opcode Fuzzy Hash: 8b276f3c93936148ababd72fc9caffadb64962af51f5f74c1e1ee3fc20e4cb54
Instruction Fuzzy Hash: F72128B1D003499FCB10CFA9C8857DEBBF5FF48354F148429E919A7640D7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEB38 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06FBEBC8

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 505fc44cbdabe23e09e3b23c7ff3df2d09ce6b1961bd3144b833a9a93a542ac0
Instruction ID: 03e228425edbe6ef642291769a8034e520ecd9854bc993290060877630e97f25
Opcode Fuzzy Hash: 505fc44cbdabe23e09e3b23c7ff3df2d09ce6b1961bd3144b833a9a93a542ac0
Instruction Fuzzy Hash: 682135B1D003499FCB10CFAAC881BEEBBF5FB48354F048429E919A7640D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FBE858 Relevance: 1.6, APIs: 1, Instructions: 67
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 06FBE8DE

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 65dc83667106e9baccc3c73572400ba3e5ed9f42273889dda6c46f32b2710059
Instruction ID: 0ec882e86e7c3904466ef15651f0a82eeb34f8e6e26d11b4bd48ddc51092053e
Opcode Fuzzy Hash: 65dc83667106e9baccc3c73572400ba3e5ed9f42273889dda6c46f32b2710059
Instruction Fuzzy Hash: FD215CB1D002098FCB10DFAAC4857EEBBF4EF48264F148429D419A7740DB789985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEC61 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06FBECE8

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cdb7320830ca34e4e98a9d680c9929ada61764bd596f83c55dcea2a92f768de5
Instruction ID: 37b8e8c0ef6d6b1aaccab987a09002c3b8065a223f56ee6fc3127cc0b1a2cd71
Opcode Fuzzy Hash: cdb7320830ca34e4e98a9d680c9929ada61764bd596f83c55dcea2a92f768de5
Instruction Fuzzy Hash: 53217AB1C002499FCF00CFAAC8807EEBBF5FF48364F148429E518A3600D7349944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0250AC7C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0250BA36,?,?,?,?,?), ref: 0250BAF7

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 83f12c33428874d7827fba6940ffe79e8dd1c046aa506bf0c30e7be8a7788264
Instruction ID: 94be9bba37d83e4519d147454e935bd17b298177cdccccd9f3a55b97e1c27b0b
Opcode Fuzzy Hash: 83f12c33428874d7827fba6940ffe79e8dd1c046aa506bf0c30e7be8a7788264
Instruction Fuzzy Hash: 7B21E5B5900248DFDB10CFAAD984BEEBBF4FB48324F14846AE914A3750D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0250BA68 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0250BA36,?,?,?,?,?), ref: 0250BAF7

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 770e040b13cb714e2941350c5ecbada66a3d7653e1f9509daacc7fa906ce955e
Instruction ID: 772e090dc07bb3c98b4867344efb874e9c8490b30ae9f502b7dd4c0f807d5f8c
Opcode Fuzzy Hash: 770e040b13cb714e2941350c5ecbada66a3d7653e1f9509daacc7fa906ce955e
Instruction Fuzzy Hash: AB21C6B59002499FDB10CFAAD984BDEBBF8FB48324F14842AE914A7750D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEC68 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06FBECE8

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 93b180e582d2aacd40215efc3e53d3e44bac9234baa451b32cfe169d0dd756ca
Instruction ID: f55debd60747c5ab41429985ea47fc375ee711061a655ebff384d9ac2ac709bf
Opcode Fuzzy Hash: 93b180e582d2aacd40215efc3e53d3e44bac9234baa451b32cfe169d0dd756ca
Instruction Fuzzy Hash: 8D2148B1C002499FCB00CFAAC880BEEBBF5FF48324F148429E918A3650D7389944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FBE860 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 06FBE8DE

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2aaaecea485ca4a7d0ea2d0a7f8ea6be6bc5ffe4f545613105269f1c11de5ac2
Instruction ID: 9b491dbe99ed6a4ee6fecb0ef0c8f5cd7e0bf82ea5c0a221da8fc63dd127c9c5
Opcode Fuzzy Hash: 2aaaecea485ca4a7d0ea2d0a7f8ea6be6bc5ffe4f545613105269f1c11de5ac2
Instruction Fuzzy Hash: 902137B1D002098FCB10DFAAC4857EEBBF4EF48264F14842AD419A7740DB78A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 025099B0 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02509811,00000800,00000000,00000000), ref: 02509A22

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0febee42c7e6cfe7e5e95fad910b5008873bbf1e4d05446af0bb6ba06c1109d2
Instruction ID: f65044d65811def7f98d8975c96478ac4c2bd891537d92d1c5d3570e8abe8710
Opcode Fuzzy Hash: 0febee42c7e6cfe7e5e95fad910b5008873bbf1e4d05446af0bb6ba06c1109d2
Instruction Fuzzy Hash: 5C1147B2D002099FCB10CF9AD884BDEFBF4EB48324F04842AD415A7740C374A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEA30 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06FBEAA6

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6e45e24ff66634674901c2311e68bbd09b60cbb823fbd9ccf86f29250f80bdde
Instruction ID: af0a64affea8f805c95317bfbf2044f6bf20dfa30e507aa235500b907d62b15f
Opcode Fuzzy Hash: 6e45e24ff66634674901c2311e68bbd09b60cbb823fbd9ccf86f29250f80bdde
Instruction Fuzzy Hash: 501159729002489FCB10DFAAC845BDFBBF5FF48324F148419D519A7650D7759945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02508AB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02509811,00000800,00000000,00000000), ref: 02509A22

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f7d45e14a4c9d21225888a8d760f2b96fb288138c471afd035449512842546e
Instruction ID: fec7f469f7fb2cb9afc672e1baed664b72dc77d55ffa6601e03d4239f6482428
Opcode Fuzzy Hash: 0f7d45e14a4c9d21225888a8d760f2b96fb288138c471afd035449512842546e
Instruction Fuzzy Hash: 241114B2D002489FDB20CF9AD884BDEFBF4FB48724F14842AE815A7651C374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEA38 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06FBEAA6

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 52695896c759ec20356dbe6a2e2802aecaefaddfbcab2f0d270d1e3e50104f41
Instruction ID: 35388eafe4a6934813b9f7b009465f8aaf8152c23f716796ec039ce6e20d31bd
Opcode Fuzzy Hash: 52695896c759ec20356dbe6a2e2802aecaefaddfbcab2f0d270d1e3e50104f41
Instruction Fuzzy Hash: 9A1126729002489FCB10DFAAC845BDFBBF9EB48364F148419D525A7650D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FBE768 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,08C7380A), ref: 06FBE7D2

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6eea538e304dec5af006a4a31e09d84ab94f4881ca82baad6565a3387f4f7335
Instruction ID: fe0deb533c92822020c1be7c0c9c265f3b1db9de92c942f6fe001e2dc31761c0
Opcode Fuzzy Hash: 6eea538e304dec5af006a4a31e09d84ab94f4881ca82baad6565a3387f4f7335
Instruction Fuzzy Hash: 55116DB1D002488FDB10DFAAC4457DFFBF4EF48224F24842AD429A7B00D778A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06FBE770 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,08C7380A), ref: 06FBE7D2

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 933deb62fafbd41a00085d1ffa0e9a54ecdeb2ae64816f09a8590cafc7ded041
Instruction ID: 0e4120454ea797df9d91244033a8c4d8047e1fc1dbf979ec1f2155b789376208
Opcode Fuzzy Hash: 933deb62fafbd41a00085d1ffa0e9a54ecdeb2ae64816f09a8590cafc7ded041
Instruction Fuzzy Hash: EF113AB1D002488FDB10DFAAC8457DFFBF4EB48264F248429D529A7750D778A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02509730 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02509796

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 13a356c894293f54db9513c5b503c763305ea784f513213c98346eba9126de40
Instruction ID: 5b298a5815db8dfc44e4568b5a3e43ace25ad5adf1756664bac1074f6af085a9
Opcode Fuzzy Hash: 13a356c894293f54db9513c5b503c763305ea784f513213c98346eba9126de40
Instruction Fuzzy Hash: E91113B6C002498FCB10CF9AC984BDEFBF4EB89324F14842AD419B7610D374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02509732 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02509796

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 81431d22f05e6667c45251d43788e8dbacc39dc9fd2aa1f4e48643a18969eac8
Instruction ID: cb7702925c5818e7f79c57e69b0c201d349c338c35877f63d93f923c68df3836
Opcode Fuzzy Hash: 81431d22f05e6667c45251d43788e8dbacc39dc9fd2aa1f4e48643a18969eac8
Instruction Fuzzy Hash: E41110B6C002498FCB10CF9AC984BDEFBF4EB89324F14892AD429B7610C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0ADDFDC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f65c0a066a127e1f2110338be02d757d947a98592506ab1540ae3b813ce0ba
Instruction ID: a6d3674c95ebc683965a8c5409038c6794f4c6a671dda0e1159978c8a8288221
Opcode Fuzzy Hash: 11f65c0a066a127e1f2110338be02d757d947a98592506ab1540ae3b813ce0ba
Instruction Fuzzy Hash: 0721AB34B001189FCB64EBA9D844AEEB7F2EF8C310F514129D446A7794DF389C45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277765110.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff26763fcb3aea7e989ec5fcab45f17ccb58b4331f7ac273eb5461c726ad5a0
Instruction ID: 4bf080d8fcd8249c61e6b54e272eead4dcc50d44c964b8b676786633241c738b
Opcode Fuzzy Hash: fff26763fcb3aea7e989ec5fcab45f17ccb58b4331f7ac273eb5461c726ad5a0
Instruction Fuzzy Hash: 70212571504240DFDB05DF14D9C0BA6BFA6FB98328F6485A9E8050B706C336D896CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277824734.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847dec454740e4d4e4a4d4de815b7a00c8190961116d810897a37f49950a2463
Instruction ID: 43e51659cbe0fa81b50dd6a5a1b154756bbce902ffe0724aeecdd19867a66328
Opcode Fuzzy Hash: 847dec454740e4d4e4a4d4de815b7a00c8190961116d810897a37f49950a2463
Instruction Fuzzy Hash: D9210471604200EFDB05DF14E9C0B26BBA5FB88318F24C9ADE80D4B742C336D84ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277824734.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820da6196e5b9f7ea24551aaa7fd2430e2850ef57167f90a4a740ca122e88bd5
Instruction ID: caea091a6e58db679557787a7049a0e4cef88baa479e245bb28b170ccc07fc65
Opcode Fuzzy Hash: 820da6196e5b9f7ea24551aaa7fd2430e2850ef57167f90a4a740ca122e88bd5
Instruction Fuzzy Hash: C121D075604240DFCB14DF14E9D4B17BBA5EB88318F24C9A9D84E4B766C336D84ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277824734.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdccd9b538ec4f6b2038db8eadfabb02d132c3d748eb23d71676fac53ddff993
Instruction ID: f33d675ea47052a6f9fd9bd9d28d1765ebd37e4d9db2fdfa96c406bf4f102303
Opcode Fuzzy Hash: cdccd9b538ec4f6b2038db8eadfabb02d132c3d748eb23d71676fac53ddff993
Instruction Fuzzy Hash: 3F2184755083809FCB12CF14D994B16BFB1EB46314F28C5EAD8498F667C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0ADDF108 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b467885d9a7e721e721c7aef5f5f9ae99507ef77d855dfdb7936b67dbe746
Instruction ID: 7745af51ea08189de2abb5e1fb12c518cfb64c772d4df0ce67e4637d6d957b4c
Opcode Fuzzy Hash: 914b467885d9a7e721e721c7aef5f5f9ae99507ef77d855dfdb7936b67dbe746
Instruction Fuzzy Hash: D2119E30B00114ABDB78AB75C8106BB76E6AB88760F06853DE81B9B754EF34C9448BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277765110.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: cca0a7d6ab446f1c50b4b8d0f8a4963b31d4c742ff90fddc78062fe578e2dc5c
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: EF11D376504280CFCF16CF10D5C4B56BFB2FB94324F24C6A9D8450B616C336D996CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277824734.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7295738dd5415a26bb4c57afd7e216ba35a237fb4860c4a8b3290a6f7a399039
Instruction ID: 72e999a53d301c560b41e051bc807291a058dfb525749099b4afa2128295ddec
Opcode Fuzzy Hash: 7295738dd5415a26bb4c57afd7e216ba35a237fb4860c4a8b3290a6f7a399039
Instruction Fuzzy Hash: 94116D75504280DFDB16CF14D5C4B15FBB1FB84324F28CAADD8494B656C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277765110.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d7ac8d24948a9ec683b2954950a47e13f4a065a0ff292d4a3a507d51edcd40
Instruction ID: d9605dadc4a1f76d6b8ece79160e00da134cb19ae8f35ace3a7cd799b3fe0564
Opcode Fuzzy Hash: 13d7ac8d24948a9ec683b2954950a47e13f4a065a0ff292d4a3a507d51edcd40
Instruction Fuzzy Hash: 0401F7710083809AE7105B11CDC4BE7BBD8DF41378F5885AAED055A686D7789C84C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277765110.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2f9cb9ce362a7fdcb25e575b2d09323199e9f2993c2b29df695b8a7a20cbdb
Instruction ID: d00cea6bb4fe2a6626d885e045f0262dda95575b71b0ea867df2fdd3e5681e60
Opcode Fuzzy Hash: ec2f9cb9ce362a7fdcb25e575b2d09323199e9f2993c2b29df695b8a7a20cbdb
Instruction Fuzzy Hash: 9EF062714043849EE7109F15DDC8BA3FBD8EB41774F18C56AED085B686C379AC84CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0ADDF0B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0392c41f587249103309a16fdea8bad9e51571acfa909811ab45ce339cc907fe
Instruction ID: 63ac5c3afb5e3f1260693d3c27116b348ed503c3624f48ad9968a4f7048077ea
Opcode Fuzzy Hash: 0392c41f587249103309a16fdea8bad9e51571acfa909811ab45ce339cc907fe
Instruction Fuzzy Hash: ABF0A534D01208EFCB44DFA8D941A9DBBB5EB4C310F10C1AAAC18A3350D7369A51DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0ADD8698 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cccb7b65d102fe0acdf708dc63656abd8bb5344db65a9cdc70cffb3dfa2a58
Instruction ID: 0434f3f6b131ff31e43de784a2bbe560a3f07646168a84a891e4721f83e341d7
Opcode Fuzzy Hash: a5cccb7b65d102fe0acdf708dc63656abd8bb5344db65a9cdc70cffb3dfa2a58
Instruction Fuzzy Hash: 73E09A74E11208EFCB44DFA9D54569DFBF5EB48314F10C1AA9818A3340D736AA46DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0ADDECB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1816f1ba5df5fe4ebf05fdb2bfe6fa4bc51a9da29a9136a536241111fb7c8b32
Instruction ID: 231401f7f5c9ddd3d65deac0b0bfc394d752d5d3002d7c3f416f7fca87d3a048
Opcode Fuzzy Hash: 1816f1ba5df5fe4ebf05fdb2bfe6fa4bc51a9da29a9136a536241111fb7c8b32
Instruction Fuzzy Hash: E6E01A34E11208EFCB80DFA9D545A9CBBF4EF48310F1181EAD818A7310D7349A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0ADD7468 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdaf734da20fda796377e56e593b681872bf17253d2954d3990948f77dd24b27
Instruction ID: d314822b5349352b220c036706dbce425f7ff3cca78ec92afe973c4efbeb5b5b
Opcode Fuzzy Hash: fdaf734da20fda796377e56e593b681872bf17253d2954d3990948f77dd24b27
Instruction Fuzzy Hash: 7AE0C27141210CEBCB10EFB0D40469E7FFCEB09204F0141A9D406A3620EB350A448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0ADDEF08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9720e894383dcf2a829da761f6b8fa62a67893825c808e3e486135d764ab9abf
Instruction ID: 36f3aef3607160b9b0932d6ded1d6113234fc3f078f3aecb93fa6ebb70924f99
Opcode Fuzzy Hash: 9720e894383dcf2a829da761f6b8fa62a67893825c808e3e486135d764ab9abf
Instruction Fuzzy Hash: C5E0C7B280210CEBCB80FFB0D40069E7BECDF04204F0201B9C006A3620EE350A848BB2

Uniqueness

Uniqueness Score: -1.00%

Function 0ADDFD78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609d41d9a299a2247a949329e56bd5d9564cded3fce031cba6f7ecf7d266030b
Instruction ID: 258d7b982b20d3e26fd5038b1e10cf74e1413e6419ddd2e90a9e54ba1708cd83
Opcode Fuzzy Hash: 609d41d9a299a2247a949329e56bd5d9564cded3fce031cba6f7ecf7d266030b
Instruction Fuzzy Hash: EBE0BF34D01108EFC744DF98D54169CFBB5EB48314F10C1A9DC1857344D7355A46CF85

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06FB4188 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

i{rE, xrefs: 06FB422B
i{rERx, xrefs: 06FB4232

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: i{rE$i{rERx
API String ID: 0-1172967640
Opcode ID: 7f056c232e004712c7de64eacf10462d4bc7a98ba904c89d445d1d92e7045ddf
Instruction ID: 5806dcf7ee8ca78c466d1d90fccb1bb35a9debcb7c44b0deca98ba0b044e6059
Opcode Fuzzy Hash: 7f056c232e004712c7de64eacf10462d4bc7a98ba904c89d445d1d92e7045ddf
Instruction Fuzzy Hash: 6661E475E052199FDB44CF9ACA809DEFBF2FF88210F28A42AD505B7319D3309A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2AD8 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

un7, xrefs: 06FB2B19
p7u, xrefs: 06FB2BDF

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: p7u$un7
API String ID: 0-2633086462
Opcode ID: 7166a3f43c305c285ec5eb20122698c65eb934e0ea6dfb61a33670030f50864c
Instruction ID: 4e52ebf194870cddaabb38f56474f65a750313060c80e1475f52b2ba1a781e62
Opcode Fuzzy Hash: 7166a3f43c305c285ec5eb20122698c65eb934e0ea6dfb61a33670030f50864c
Instruction Fuzzy Hash: 95415D70E11209DFCB84CFA6C9814EEFBB2BF89204F24E559C519A7244DB349B41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2AC9 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

un7, xrefs: 06FB2B19
p7u, xrefs: 06FB2BDF

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: p7u$un7
API String ID: 0-2633086462
Opcode ID: bc977f2bd5388c9b22bdf2daead3dfb5bd12e4027c63a6a02c073db0a6541291
Instruction ID: ce035d48af0cdf1a07c5b43d22ba88e469077bf4e6d1b6f9d0578f7341fa868d
Opcode Fuzzy Hash: bc977f2bd5388c9b22bdf2daead3dfb5bd12e4027c63a6a02c073db0a6541291
Instruction Fuzzy Hash: 44418C70E15209DFCB84CFA6C9804EEFBB2BF89254F24E59AC015AB255DB349B40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB3F80 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

RX9<?w%?, xrefs: 06FB40BD
RX9<, xrefs: 06FB40B6

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: RX9<$RX9<?w%?
API String ID: 0-1172182971
Opcode ID: 5b9fd998a1add971b93436694b4d6d1fba791a6f8cd9ef12374d2a7d23948608
Instruction ID: 6bcd6d5d5081379420419b2e9295266545945e024ebe75fa25c022f0da603bbe
Opcode Fuzzy Hash: 5b9fd998a1add971b93436694b4d6d1fba791a6f8cd9ef12374d2a7d23948608
Instruction Fuzzy Hash: 5441E6B1E0420A9FCB48CFAAD5805EEFBF2BF88300F24E46AD415B7244D7349A458F94

Uniqueness

Uniqueness Score: -1.00%

Function 06FB4179 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

i{rERx, xrefs: 06FB4232

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: i{rERx
API String ID: 0-2760201239
Opcode ID: d029f0efe0123087b0c3e83209717e80d3119ac743f0c214c57d480c22412746
Instruction ID: 48b2df5050bc09533fc78f01a2638b43b7b4d8aae01e75ed4422f9e189c3d018
Opcode Fuzzy Hash: d029f0efe0123087b0c3e83209717e80d3119ac743f0c214c57d480c22412746
Instruction Fuzzy Hash: ED611775E052198FDB44CFAAC6819DEFBF2FF88210F28942AD415B7359D3309A42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 06FB3F71 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

RX9<?w%?, xrefs: 06FB40BD

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: RX9<?w%?
API String ID: 0-2195514392
Opcode ID: e5464e66573d44cd419d17d21a878c0563f49144d52a7db649b8ddbad8114731
Instruction ID: 32dbce8bc0c68a60bf2426ddb69588867115ce1f9baf4a03fdc9869d08b5306b
Opcode Fuzzy Hash: e5464e66573d44cd419d17d21a878c0563f49144d52a7db649b8ddbad8114731
Instruction Fuzzy Hash: B14126B1E4420A9FCB48CFAAD5805EEFBF2EF88350F24E42AD415B7244D73496428F94

Uniqueness

Uniqueness Score: -1.00%

Function 06FB5CAD Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

&[dR, xrefs: 06FB5D68

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: &[dR
API String ID: 0-1073770708
Opcode ID: 1108c3962db54ebe1279771d84a17d811b7fe33db0a2273f28be897e679c5ae4
Instruction ID: c13c924ca4a9787bb4cb38c781c51ccce7aa498869d9fdf80af3dd02789b6c44
Opcode Fuzzy Hash: 1108c3962db54ebe1279771d84a17d811b7fe33db0a2273f28be897e679c5ae4
Instruction Fuzzy Hash: A021B1B5E056198BDB08CFAAD9406EEFBB3AFC8210F14C16BD004A7394DB344A05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB5CE0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

&[dR, xrefs: 06FB5D68

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID: &[dR
API String ID: 0-1073770708
Opcode ID: 2ad6182263ab622aadf008b2e9d4da6ebb5398300493156cdf5318a3aa5f3714
Instruction ID: 4e1f7f1d96dc0d399a12d18e037421bda9c5a06ec8b02da6a3f59c6a07e2b047
Opcode Fuzzy Hash: 2ad6182263ab622aadf008b2e9d4da6ebb5398300493156cdf5318a3aa5f3714
Instruction Fuzzy Hash: 6021F471E116198BDB48CFABE9406EEFBF7AFC8210F14D17AD408A7354EB344A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0250E730 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd1fadb0a8d2756bf2d2e41c9dbae4717027bf1abf7970a2a15fa8afa2a8680
Instruction ID: 7df7ff1a3c48d1ce8f1f8d670b504e6bd648840e418365325fe75a6e674a9594
Opcode Fuzzy Hash: 7fd1fadb0a8d2756bf2d2e41c9dbae4717027bf1abf7970a2a15fa8afa2a8680
Instruction Fuzzy Hash: 3D12EDF1C917458BD338CF25E49A1993B61B74632AFD24B08D2612BAD0E7B4016EEF4C

Uniqueness

Uniqueness Score: -1.00%

Function 06FB847F Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839716ec6c8f2f9e118f03cc56942de4c4091bdc19c424c98fe0ad8ab9138b3c
Instruction ID: 6edfb5878c34c67167c09067a020cb65225066b034f983a036e22d5248056e80
Opcode Fuzzy Hash: 839716ec6c8f2f9e118f03cc56942de4c4091bdc19c424c98fe0ad8ab9138b3c
Instruction Fuzzy Hash: ACD1F571C2064A8ACB10EB64D990AEDB7B5FFD5300F50979AD0493B615FF70AAC8CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0250C364 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b76c5a884ae77a41d8daa1554c100f4e0c4255e44d64867ed61a2a1f52c3394
Instruction ID: c6eb87be41ac78e1cc7e6c2350a87b9df844246ea0b1e785915e251c9d231dd0
Opcode Fuzzy Hash: 7b76c5a884ae77a41d8daa1554c100f4e0c4255e44d64867ed61a2a1f52c3394
Instruction Fuzzy Hash: 62A18132E0021A8FCF15DFB5C8845EDBBB2FF85305B15856AE805BB2A1EB71A945CF44

Uniqueness

Uniqueness Score: -1.00%

Function 06FB8490 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f884ba5173c8b2584ab959cdf2f0e58c7c1cfd01454cad9732d2f2538c69a17a
Instruction ID: 56d355094944219caa183adf3a6de768b84e3c713d4d13672ba036dcf59d5cfe
Opcode Fuzzy Hash: f884ba5173c8b2584ab959cdf2f0e58c7c1cfd01454cad9732d2f2538c69a17a
Instruction Fuzzy Hash: 85D1E571C2065A8ACB10EB64D990AEDB3B5FFD5300F50979AD0493B615FF70AAC8CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB45E8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9b26f65bc24b562d2d0139d76eb68222884ae97c46c1d4b44cfdcc2230f0d6
Instruction ID: b5c13223aac0ece2e5737e1785676ef2c6016514593b2d2409fa67b342f9ebb5
Opcode Fuzzy Hash: 6d9b26f65bc24b562d2d0139d76eb68222884ae97c46c1d4b44cfdcc2230f0d6
Instruction Fuzzy Hash: DBB14D74E142199FCB54CFAACA809AEFBF2FF89304F249169D409A735AD7309941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06FB45D8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0402e32a6d5a4bcee779b2ba86a92bd76e71c5f07b4336a37424a3c81397cacc
Instruction ID: 908ad68e543112ab57d81fd629acea712d531562e259c9eac2daa890d868e5dd
Opcode Fuzzy Hash: 0402e32a6d5a4bcee779b2ba86a92bd76e71c5f07b4336a37424a3c81397cacc
Instruction Fuzzy Hash: 27B15D74E152199FCB54CFAACA809AEFBF2BF89300F249169D408A735AD7309D41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0250E720 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278195182.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2500000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f5f4dd60b16889df7467f123799489ffa0836ce2eee177b29310ea2fbdb1bf
Instruction ID: e2639a1e464feb44aae160d5812a834ca248f2e3c21f0016a456ba9b2f431444
Opcode Fuzzy Hash: e3f5f4dd60b16889df7467f123799489ffa0836ce2eee177b29310ea2fbdb1bf
Instruction Fuzzy Hash: B0C14BF1C917458BD728CF25E88A1993B71BB86329FD24B08D1616B6D0F7B4106EEF48

Uniqueness

Uniqueness Score: -1.00%

Function 06FB4693 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc48e1fae4f8579745ea9d38c7fdfa6379e49b3bf0e2fe582665bea8cdb6c59
Instruction ID: abe3f72d32de7b0569d354374cb5ab38fbf7b9ad9d1ea921622835e5dcd4e88c
Opcode Fuzzy Hash: 3dc48e1fae4f8579745ea9d38c7fdfa6379e49b3bf0e2fe582665bea8cdb6c59
Instruction Fuzzy Hash: 53A13A74E152199FCB50CFA6CA809ADFBF2BF89304F249169D409AB35AD730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06FB46EC Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516ee2d586b367fd062378202af58e7f1064843cb364355d381fd4a3f7f1d4d4
Instruction ID: 18a5d92f2b1dadaf0613206831c8636459bc01c209627594b8f0194acb540df7
Opcode Fuzzy Hash: 516ee2d586b367fd062378202af58e7f1064843cb364355d381fd4a3f7f1d4d4
Instruction Fuzzy Hash: A9912B74E152199FCB50CFA5CA809AEFBF2BF89304F249169D409AB35AD730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2C91 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6978b52b6267529f37624cc55d755214191f35de4401ee72166bf4a6e1ad355b
Instruction ID: de891dbc9006cb33684ddb8bb04b48c64b3ad30508412865c4b47e834871c386
Opcode Fuzzy Hash: 6978b52b6267529f37624cc55d755214191f35de4401ee72166bf4a6e1ad355b
Instruction Fuzzy Hash: 09912475E11219CFDB44CFAAD5808EEFBF2FF89210B14A569D415EB224D334AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB46D1 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20336707f025d110c140bb55fcb665e3944f790327a44ebd7628b4495bdbac8
Instruction ID: 280441cf960952e16b01a8bb82350c9b54e247c35de6ceb2c96ee2318e4e3ac0
Opcode Fuzzy Hash: b20336707f025d110c140bb55fcb665e3944f790327a44ebd7628b4495bdbac8
Instruction Fuzzy Hash: 43913B74E152199FCB50CFA6CA809ADFBF2BF89204F249169D409AB35AD730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2CD8 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d172861a0099dabf68d458836d37cac56f1b7ec7d741bc1c3df378818a6f206e
Instruction ID: 5412ea00988cebf3eebf824a6627700687ecb824ae864459c40a2e42a2b9ec2d
Opcode Fuzzy Hash: d172861a0099dabf68d458836d37cac56f1b7ec7d741bc1c3df378818a6f206e
Instruction Fuzzy Hash: FA91F275E15219CFDB44CFAAD5809EEFBF2FF88210F14A569D415AB224D334AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2CC8 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710f50bb6b2cffd45e9597a020f3ef0af47bac20c1b05f5b1227b9ceea6e6944
Instruction ID: 013604c4caef84561fccbb705fb8d5622459534f4d4bd5494b05cf99bec635e1
Opcode Fuzzy Hash: 710f50bb6b2cffd45e9597a020f3ef0af47bac20c1b05f5b1227b9ceea6e6944
Instruction Fuzzy Hash: C9810475E15219CFDB44CFAAD5808EEFBF2FF88210B14A569D415AB324D334AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB38C8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3b9deeafb4f42ae62074fe1874eb77ccec1e093eee80abfe9a4fc8ab5988dd
Instruction ID: 09ae1a9cb1b028281a7cfbd9d9f96924bae03dcf421360a4502b56de2f8a8f10
Opcode Fuzzy Hash: 0e3b9deeafb4f42ae62074fe1874eb77ccec1e093eee80abfe9a4fc8ab5988dd
Instruction Fuzzy Hash: EE71127AE4420A9FDB44CFAAC8809EEFBB2FF88310F14A456D415A7215C7309942CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06FB38D8 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c081030137a269cce874b3b62bab834e20b8ff9b1be89ae9e67d0031e89946
Instruction ID: 4bc5e89c7705ef014c028dbefa97ed990e5ead7a5bfaffc5a4e4bddd8aa0454a
Opcode Fuzzy Hash: f5c081030137a269cce874b3b62bab834e20b8ff9b1be89ae9e67d0031e89946
Instruction Fuzzy Hash: 4971D07AE4520A9FDB44CF96C5809EEFBB2FF88310F24A519D515AB205C7309942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06FB09A0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7da2bf91bbcf4e3b17e1fdf5a1a2904720616f7246c6b15b91e1ac48a1b381
Instruction ID: 8446b1a126e55195cec4b4b472face87d255e38c5fb5eb7a58ed8204f5aa5ff9
Opcode Fuzzy Hash: 4e7da2bf91bbcf4e3b17e1fdf5a1a2904720616f7246c6b15b91e1ac48a1b381
Instruction Fuzzy Hash: 75613375E0420A9FEB44DF9AD4809EEFBB2EF88310F14952AE415A7354D734AA81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06FBD838 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044b0ccdc8e0400c10bf78a74b13fb3d098b3b355af318e4842df11a9346aba4
Instruction ID: 5f6d39a86472da619dd852f174bf5f4cd8baa2f8e09d27020057aae4f32a3d1c
Opcode Fuzzy Hash: 044b0ccdc8e0400c10bf78a74b13fb3d098b3b355af318e4842df11a9346aba4
Instruction Fuzzy Hash: 40612070E10A088FD744EF76E98169A7BF3BBC8305F04C93AD0149B768EB7959058F91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB09B0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5b46aca05ed9a3fd631f68b8b085f7869743daaeb3a759e3af29d261d219b9
Instruction ID: 258f8ea621d69ffb2511d8c0a8a7d66ec826a6fd652e61f0d334e19152aaa3d6
Opcode Fuzzy Hash: cc5b46aca05ed9a3fd631f68b8b085f7869743daaeb3a759e3af29d261d219b9
Instruction Fuzzy Hash: F8611475E012099FDB44CF9AD4809EEFBB2FF88310F14992AE415A7324D734AA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06FBD848 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569e5cc8475cb880226e46de9acd2bfb6c6f6bbdb52c96442a995c79d45d846b
Instruction ID: 25ab2b32a241609ef7ba9d4619441b7f62097826c3c0aba96933194f639d42bb
Opcode Fuzzy Hash: 569e5cc8475cb880226e46de9acd2bfb6c6f6bbdb52c96442a995c79d45d846b
Instruction Fuzzy Hash: 92611F70E10A088FD744EF7AE98169A7BF7BBC8305F04C93AD0149B768EB7959058F91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB38D7 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e944fe73aece7e221a0f4a269709311947a9975a4b52a7bbe9aee2dff2598d8
Instruction ID: 665752a1122d6ecb1a0d08bb2c4c9dbff181ca44ca5100edfdb1da15ce0ea311
Opcode Fuzzy Hash: 1e944fe73aece7e221a0f4a269709311947a9975a4b52a7bbe9aee2dff2598d8
Instruction Fuzzy Hash: 6461E27AE4420A8FDB44CFAAC5809EEFBB2FF88310F14A516D415A7305D7309942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0ADD0040 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26115bb4293b3f97e65a9c3efdff3f664d0c929f54b61ae39d687e8fa8d1513c
Instruction ID: 06aebe56b80e5c74b3390cd3e00f3911bebf5a3f3959528e0ff7be7ecbb9dda1
Opcode Fuzzy Hash: 26115bb4293b3f97e65a9c3efdff3f664d0c929f54b61ae39d687e8fa8d1513c
Instruction Fuzzy Hash: F451C5B0D15628CFEB64CF2AC844799BAF7BBC9304F05C2E9D40DA6264DB764A95CF00

Uniqueness

Uniqueness Score: -1.00%

Function 06FB43B9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d455f15afc28c192973f6ec78a4e99542017131f7862f7961da0b8204c408f
Instruction ID: fcec1da9330bae8e41733e6fa1880c4d8f736ff9d6962582b7777a136c83a25f
Opcode Fuzzy Hash: c7d455f15afc28c192973f6ec78a4e99542017131f7862f7961da0b8204c408f
Instruction Fuzzy Hash: F14119B1E01209DFDB44CFAACA805EEFBF2FF88210F24D56AC914A7255E7305A518F90

Uniqueness

Uniqueness Score: -1.00%

Function 0ADD86E0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.287091423.000000000ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836c3c43d74835a8791eca76e87b57fb2f03c8a08531a1da14c197816cb0a87e
Instruction ID: 8483cc96d757cc9506889814f1c132405d6e06d39a9c1af395082d7b132de636
Opcode Fuzzy Hash: 836c3c43d74835a8791eca76e87b57fb2f03c8a08531a1da14c197816cb0a87e
Instruction Fuzzy Hash: 67415071E056588BEB1CCF6B8D0068EFAF7AFC8200F15C1BAC44CAB225DB3149568F11

Uniqueness

Uniqueness Score: -1.00%

Function 06FB43C8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284986603.0000000006FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fb0000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ca7cf13c6a84941421564a215594825a323e80a546bb8537ace7f6a7fac723
Instruction ID: aa23776afb03f54760674ddd691d5cef31e022095743161733fd455aef03c769
Opcode Fuzzy Hash: 68ca7cf13c6a84941421564a215594825a323e80a546bb8537ace7f6a7fac723
Instruction Fuzzy Hash: FE41E6B1E01609DFDB44CFAAC6805EEFBF2BF88200F24D46AC914B7219D7309A51CB94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BfwPdttqxH.exePID: 1508, Parent PID: 5932COMMON

Executed Functions

Function 029911B9 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f544d9175b64101b331ad090dce4a72b1635c4e0e34f98a9285bfa737ff5a711
Instruction ID: 76f1c6f866b711b7e924b7922be824d7694a1f86b553c3b06d9f0b3cc1057b5f
Opcode Fuzzy Hash: f544d9175b64101b331ad090dce4a72b1635c4e0e34f98a9285bfa737ff5a711
Instruction Fuzzy Hash: 7DB128347001048FCB44EB78D995AAD77F2FF88318B2544A9E4069B3A1DF35EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029912A0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b37cd1c7440516fac57ec4a92b79c0249be39bd70998674b70663fb5ce02bb7
Instruction ID: 29c23ce7b83b5aa77a907573b6c2db82ace8bb9700ce1e6378583fb913aadaa1
Opcode Fuzzy Hash: 7b37cd1c7440516fac57ec4a92b79c0249be39bd70998674b70663fb5ce02bb7
Instruction Fuzzy Hash: B46147347001048FDB58EB68D9A4AAD77F2FF88314F2544A8E9069B3A5DF75EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02990AB8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea305eb2c61b6ffac005c9913991956c3397e71fe60ca5b14860ede6eb0d7827
Instruction ID: 8293be80c3b5d292e0f8b4395687a3bcab893cd5b5300ad070c798bb4563ec5f
Opcode Fuzzy Hash: ea305eb2c61b6ffac005c9913991956c3397e71fe60ca5b14860ede6eb0d7827
Instruction Fuzzy Hash: CB51AE30B101049FCB04DB7CC454AAEBBF6EF89714F2581A9E906EB3A1DB75DD068B91

Uniqueness

Uniqueness Score: -1.00%

Function 02990920 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1191bc49224eadf5504a494d20d003ce481ac0cdf125ebb6a8ea58e926a803
Instruction ID: c6491c7ec3521b25b87e78164bd821209294e685447b5ba62d77013fc1efd31f
Opcode Fuzzy Hash: ef1191bc49224eadf5504a494d20d003ce481ac0cdf125ebb6a8ea58e926a803
Instruction Fuzzy Hash: 4C41D230B042448FDB15DB7CC864AAEBBF2AF89314F1844AAD005DB3A1DB74DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029906A0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac16bb8c3379fbc097e9a406222f10cea864972284a7ee53fdf38d4753d5d262
Instruction ID: 11ddc90216e9e1382c6347563ec97ad75fb4f72197fdefa2cd0cfc7b8abd008d
Opcode Fuzzy Hash: ac16bb8c3379fbc097e9a406222f10cea864972284a7ee53fdf38d4753d5d262
Instruction Fuzzy Hash: 1151D578604209CFCB46EF39ED958597762FF8570A3108969E4068B6A8EB35ED47CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02990DD0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a9dee699cc2cd21056e8d347b70793552ed9a5a4f3e1397995d16ff7ad170e
Instruction ID: c2ba18d0a3f8eff7335560bac2c13552ddb4f121e93ad0030024734e9a3674a2
Opcode Fuzzy Hash: a0a9dee699cc2cd21056e8d347b70793552ed9a5a4f3e1397995d16ff7ad170e
Instruction Fuzzy Hash: 5941A270E002499FCF54EBBD84516AEBBFAEF85214F108579D40AD7741EB389E428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02990910 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8315c20c8b775313cc37178cc82843c7375d343da772b949ec8a7a9a35bd561
Instruction ID: 79900adb6020bcc7ffe02e3e49e6b907ec314bb4916e8d6a6e822488a410b9f5
Opcode Fuzzy Hash: a8315c20c8b775313cc37178cc82843c7375d343da772b949ec8a7a9a35bd561
Instruction Fuzzy Hash: 5631C330A042089FDB14DF7CC999BAEBBF6AF89304F1485A9D401AB7A1DB74DC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02990F3A Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2408214d5776199a5a619a7e0898a53a0fe5bd762bd5479696acd18341dc88
Instruction ID: 3d3c38783be09808f58981be7d032a8d5b2ca7d42be9ab66b4533ded33c0b62d
Opcode Fuzzy Hash: 2b2408214d5776199a5a619a7e0898a53a0fe5bd762bd5479696acd18341dc88
Instruction Fuzzy Hash: A631CE30B002558FCB54EB78C852A6FBBF6AF89318B14407DE556DB3A1EF749D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297070790.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f4d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889173cd346d21e902d19070dbc80e256eb5763e251ca5842b9ed0a386f3cfd0
Instruction ID: 19f6d9214c4e886cccc52f03ade4b000517a11fdeca6b8e5b6fa17d8cace58b3
Opcode Fuzzy Hash: 889173cd346d21e902d19070dbc80e256eb5763e251ca5842b9ed0a386f3cfd0
Instruction Fuzzy Hash: 1221F872504240DFDB05DF14D9C0B66BF65FB94324F24C569EC050B656C336E856E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297070790.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f4d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ae1697e9c55446c7683fdc7dbba59645826c91860b019eff770f2e703dfc5f
Instruction ID: 4c1904ea170e0ef803790121c055b5f85ed014c658e406e1274bf51ad1f9e39a
Opcode Fuzzy Hash: 91ae1697e9c55446c7683fdc7dbba59645826c91860b019eff770f2e703dfc5f
Instruction Fuzzy Hash: 3A212572904240DFDB05DF14D9C0B26BF65FB88328F288569EC090B656C736D859EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02990598 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f942347e64bfff8ea9269a8bcdf22e9eb63232001f5103c793b6fbfd556f27f
Instruction ID: 61c388a3584d466dbc758fc863e2d0fdf342785b721084ba80d2736eef8d9c89
Opcode Fuzzy Hash: 3f942347e64bfff8ea9269a8bcdf22e9eb63232001f5103c793b6fbfd556f27f
Instruction Fuzzy Hash: DF219231A0575A8FDF58AB7D9C2573E3BA8AF8475AB00462DE867C2190EB30C481DB51

Uniqueness

Uniqueness Score: -1.00%

Function 029905A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3268a40ed94c3f17a9cae79bc78d07c4af967e213e63e87afe94eb36d65985c
Instruction ID: 2f7fecde407c208c5506040f1b0d9f573c2951168f948678bb2e485c0609adae
Opcode Fuzzy Hash: f3268a40ed94c3f17a9cae79bc78d07c4af967e213e63e87afe94eb36d65985c
Instruction Fuzzy Hash: 63218430A0572A8FDF58AB79E91573E3BA8AF8475AB004538D927C2190EF34C440DEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297070790.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f4d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 9609f41436017885d5749bf4aa3c19337ffa49a3c2c48d11259949573849c0cf
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 8411B176804280CFDF12CF14D5C4B16BF71FB84324F2886A9DC050B616C336D956DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297070790.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f4d000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 546447e21814b3d37c78286a384c8d13da4ea93a53893028c37cdc8e2e2d43f5
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 7111D376904280CFCB12CF10D5C4B16BF71FB94324F24C6A9DC450B666C33AE856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02991031 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153a1ff9f9078101a3f2356d4410b17bbd26f56d8f6a30d1a61c4a5478dbd54a
Instruction ID: 928687188d5eddacd4d25497cc546f1600062a31deceaa6707053849b8c3ac8b
Opcode Fuzzy Hash: 153a1ff9f9078101a3f2356d4410b17bbd26f56d8f6a30d1a61c4a5478dbd54a
Instruction Fuzzy Hash: B711EC34B002508FCB44EB7DD845A6E7BF5FF8825971804B9D40ADB350EB369C02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02991040 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60034733420a857eaf186ca043f9d272ce06438ea007bf466730576f53b56c2b
Instruction ID: c578e1543cd5433ee19b0bd92d0a7d8ec03b91fd89e56585878e24a813fb1c28
Opcode Fuzzy Hash: 60034733420a857eaf186ca043f9d272ce06438ea007bf466730576f53b56c2b
Instruction Fuzzy Hash: D911CB30B002048FCB84EB79C845A6E77EAEF882597040479D00ADB350EB36DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02990A3D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edd9c437a8a038e076ae79176223b1a271a32be04fba16dba9943636a083a91
Instruction ID: 08699c63a7adb4489700f566db315835b46fe07e26d42ed462af5cbbd8f973de
Opcode Fuzzy Hash: 1edd9c437a8a038e076ae79176223b1a271a32be04fba16dba9943636a083a91
Instruction Fuzzy Hash: 26F0A9207092900FC7469738587546D3FA35FCA19931A40FBD189CF7B3DE188D078762

Uniqueness

Uniqueness Score: -1.00%

Function 02990A80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25af600b85c1ce3b60e17bf01589d3422e03ef7cdd051ef99bd4cfcb699a95f
Instruction ID: 4873f668f279ebce24bb9ccdb926ddbf2b059df53dd03b90f0898db249bf359b
Opcode Fuzzy Hash: e25af600b85c1ce3b60e17bf01589d3422e03ef7cdd051ef99bd4cfcb699a95f
Instruction Fuzzy Hash: 36E012357002145F87549B7EA89485FB7DEEFC95EA3694079E10DC7321EE75DC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02991588 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003690822dc3225d0d88fe0d861eb1efcd124c97fa675e367514041eda5c75da
Instruction ID: 89b488c3c2765f7c5c2a4a778b93fb4913968a71931ebb801e512cc770ee8b0c
Opcode Fuzzy Hash: 003690822dc3225d0d88fe0d861eb1efcd124c97fa675e367514041eda5c75da
Instruction Fuzzy Hash: E8E065302047948BDB35E2B890543DE7BD25F5131CF040C6EC58A47A82DFABA94883A3

Uniqueness

Uniqueness Score: -1.00%

Function 029915F9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0667b39b4a0fd31e2381f9d05f7d478a4c9a32a6eda5a3b747e601808f067f
Instruction ID: c11725ff88cbf6bf414d19d225998050898d507a47254fe8e72772c8a0aae4ef
Opcode Fuzzy Hash: 7e0667b39b4a0fd31e2381f9d05f7d478a4c9a32a6eda5a3b747e601808f067f
Instruction Fuzzy Hash: 54E086307600604FC715DB7DE496A6E7BD1AF8A254B400179E006DB752CF2DDC024B85

Uniqueness

Uniqueness Score: -1.00%

Function 02991608 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.297753654.0000000002990000.00000040.00000800.00020000.00000000.sdmp, Offset: 02990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2990000_BfwPdttqxH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77099a658d368ceae8ab4a9d2d0bf4267e7e8b0dbf2132d341ddd3379de9ce6f
Instruction ID: 249aea75a5d077a2b8b111a5359290671e78f905772073513be77cff7187c3af
Opcode Fuzzy Hash: 77099a658d368ceae8ab4a9d2d0bf4267e7e8b0dbf2132d341ddd3379de9ce6f
Instruction Fuzzy Hash: 18D0A9307200245BCA08A7BDE40686E3BDA8F8B66878001A9E106DF361DF3EEC0047D6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: .exePID: 4336, Parent PID: 5684COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	107
Total number of Limit Nodes:	8

Executed Functions

Function 0A5D74B8 Relevance: 2.2, Strings: 1, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UUUU, xrefs: 0A5D798A

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 3a9121492ed0552f7b0ae8f30f6aa15064cf759f2f24724afc64c38a3c1aa6fe
Instruction ID: 2f0aa14cbfbb4b7987eb19cde6641224ce4a3537d62ade6a7a38194948339025
Opcode Fuzzy Hash: 3a9121492ed0552f7b0ae8f30f6aa15064cf759f2f24724afc64c38a3c1aa6fe
Instruction Fuzzy Hash: EDA2C675A00628DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02679550 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02679796

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 38e516c941060e9d5418f2bd8dcf8396493d73673861d078b7df6a09f6d9743d
Instruction ID: 46de27fbd795c3e2c91f8aed01c9d99a8e29e46c28a00e9f0ff195fea8a07358
Opcode Fuzzy Hash: 38e516c941060e9d5418f2bd8dcf8396493d73673861d078b7df6a09f6d9743d
Instruction Fuzzy Hash: D17124B0A01B058FDB24DF29D08479AB7F1BF88314F108A2ED45AD7B50E774E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02675367 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02675421

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a82e3673ba57ba88eeab957ae62345958a3f4a00e219bf342734cd066d41e3dc
Instruction ID: b21270271c4c03e2ae5059f0290360e93bdfdca5a701eda14d2609f8f80b0193
Opcode Fuzzy Hash: a82e3673ba57ba88eeab957ae62345958a3f4a00e219bf342734cd066d41e3dc
Instruction Fuzzy Hash: 8C41E471C00618CFDB14CFA9D9847CEBBB1BF48308F208169D409BB255DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 026738A8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02675421

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5073b9c828b516446b085316b8a5cfab5488c8bc3288244fb6060eb4359faf80
Instruction ID: 255a91acd070ee9d2644ca8fb40b0f9ecfcb60efa345c041ede4f944c026efca
Opcode Fuzzy Hash: 5073b9c828b516446b085316b8a5cfab5488c8bc3288244fb6060eb4359faf80
Instruction Fuzzy Hash: A441E371C00618CFDB24DFA9C9847CEBBB5BF48308F6081A9D809BB255DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0267AC7C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0267BA36,?,?,?,?,?), ref: 0267BAF7

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 18498f7eadcf05a7bc5c00b58d953f495c285a4879c80becbf76e8329947f3bf
Instruction ID: 3cebaeba9d278558ed6b2e761e49dd3efd60b3d06397f3d84ef5bf0203e4ae75
Opcode Fuzzy Hash: 18498f7eadcf05a7bc5c00b58d953f495c285a4879c80becbf76e8329947f3bf
Instruction Fuzzy Hash: A021E6B5900248DFDB10CFAAD984AEEBBF4FB48324F14805AE914B3310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0267BA68 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0267BA36,?,?,?,?,?), ref: 0267BAF7

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2637e337cfc572949b217839f473ec675174f6a1aa42530eb247ec5bf6de76f
Instruction ID: ef2cda6d658b2abdd15a74886a7343f28babb135ba3a8618b2cfe913e30b3964
Opcode Fuzzy Hash: e2637e337cfc572949b217839f473ec675174f6a1aa42530eb247ec5bf6de76f
Instruction Fuzzy Hash: 7821C2B5900249DFDB10CFAAD984ADEBBF5FB48324F14841AE918B7750D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02678AB0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02679811,00000800,00000000,00000000), ref: 02679A22

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c21c5937fc82d1d4773cc8700cb923ef0878892f1a564fc26f0e8980ad543939
Instruction ID: cb68fffe8e2d0430522f213ca82971f3acc48d73baa71835557c0cdd07a8115b
Opcode Fuzzy Hash: c21c5937fc82d1d4773cc8700cb923ef0878892f1a564fc26f0e8980ad543939
Instruction Fuzzy Hash: D01114B2D012089FDB10CFAAD844BDEFBF4EB48324F04842AD919A7700D374A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 026799B0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02679811,00000800,00000000,00000000), ref: 02679A22

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7874528b44034c8bf8bc2110e7bd61fff175ed2f1b6ac956407aa226d7fca6f2
Instruction ID: d92db22bc1d7e489d3a43ae33a4e1b120a1b89d65a42fec648584f50dedda084
Opcode Fuzzy Hash: 7874528b44034c8bf8bc2110e7bd61fff175ed2f1b6ac956407aa226d7fca6f2
Instruction Fuzzy Hash: F11126B2D012198FCB10CFAAD444BDEFBF4EB88324F04842AD519A7700D374A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02679730 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02679796

Memory Dump Source

Source File: 00000019.00000002.343386067.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2670000_UNK_.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f3de42ab81e6717d6a594c2f453237768c9fbc82342fa2bab63d4891d8ea4f07
Instruction ID: cfbe602edbdccec567864ef933fa43d56c1fe2e2c5967d2f54d81d908457fe7a
Opcode Fuzzy Hash: f3de42ab81e6717d6a594c2f453237768c9fbc82342fa2bab63d4891d8ea4f07
Instruction Fuzzy Hash: 9511CDB6D006498FCB10CF9AD584BDEFBF8EB88324F14852AD829A7610D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A5DFDC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ffb2fbfaadd6a20bc96cf7e82f456171b668c4831f107b82597c59f6e7a65ef
Instruction ID: cde407068968bf45053f65d364b7c78df3f544a3ee3248505f5df97e159e6d2c
Opcode Fuzzy Hash: 2ffb2fbfaadd6a20bc96cf7e82f456171b668c4831f107b82597c59f6e7a65ef
Instruction Fuzzy Hash: 97216B30B001189FDB64EBA9D894AEEB7B6FF88311F108029E406B7794DF345D49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343157661.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bbd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac515720a37108c639390757bf17a5036e3cffa9978baa967505d94db20f0551
Instruction ID: c1aff0a351bceb51836c25b383b574f3cf1bbe2597b4f4f33c6dcfa5177d0eeb
Opcode Fuzzy Hash: ac515720a37108c639390757bf17a5036e3cffa9978baa967505d94db20f0551
Instruction Fuzzy Hash: E6212571504240DFDB15DF14D9C0BB6BFA5FB98328F2485A9E8050B706D37AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343184722.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bcd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17e3186b4b6848e140fc1f9b842742b0382b80551cadb921dd26e874999902b
Instruction ID: 8765ee0d31d1bbaf8724f17513d5eabc9f376882a7f4ad6857d34aee8d3b068e
Opcode Fuzzy Hash: b17e3186b4b6848e140fc1f9b842742b0382b80551cadb921dd26e874999902b
Instruction Fuzzy Hash: 4F21B379604240DFDB14DF18D9D4F16BBA5FB84314F24C5BDD84A4B746C336D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343184722.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bcd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a13aaf9f5aea50534e58a7b1abd9cd413b0d0d9775a83ebc32825abef237961
Instruction ID: 71e18127c4cce0ce777609201b6744059389c1a5f4587b96d53ea753f32fa412
Opcode Fuzzy Hash: 6a13aaf9f5aea50534e58a7b1abd9cd413b0d0d9775a83ebc32825abef237961
Instruction Fuzzy Hash: 4421B079604240AFDB05DF14D9C4F26BBA5FB88318F24C9BDE8494F656C336D84ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 0A5DF108 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72d82d6161e9527b18c8c91c6dea354cae77323b72c90e35f9517f098ee3b94
Instruction ID: 64be871767b1ecca2061b52e1e5fbdbd458db08c45038f8c2f2dd09152f51b11
Opcode Fuzzy Hash: e72d82d6161e9527b18c8c91c6dea354cae77323b72c90e35f9517f098ee3b94
Instruction Fuzzy Hash: FB117330B002149BDB749ABDC8106BF76A6BF84760F04853DE81BDB754EF7489098BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343184722.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bcd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9edf40f64b0e26472e5ab5b11fe62c98ec8b08529f2134cc0a5e70c5aab3d47
Instruction ID: a63aa9d79153d8e20355473c73b8a51beecfb133edc1b4be0d87240986892b46
Opcode Fuzzy Hash: c9edf40f64b0e26472e5ab5b11fe62c98ec8b08529f2134cc0a5e70c5aab3d47
Instruction Fuzzy Hash: 3421C6795093808FCB12CF24D5A4B15BFB1EB46314F28C5EED8498B657C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343157661.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bbd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 05b56b89774602f506b999fb6bcfe9886de149b685cd60cf9a7896b5c5136f25
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 7C11D376504280CFCB12CF10D5C4B66BFB1FB94324F24C6A9D8450B616C33AD956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343184722.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bcd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7295738dd5415a26bb4c57afd7e216ba35a237fb4860c4a8b3290a6f7a399039
Instruction ID: 4aa795e49954b1ec567ff986c702bea67f0f7abaa32fe154e801ec1227e6cdd3
Opcode Fuzzy Hash: 7295738dd5415a26bb4c57afd7e216ba35a237fb4860c4a8b3290a6f7a399039
Instruction Fuzzy Hash: 1B115B7A504280DFDB16CF14D9C4B15BBB1FB84324F28C6AED8494B656C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343157661.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bbd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec21136a85a1ca5851f21a250507a417a6b4410f1b10e09c93a8680ef8806e6
Instruction ID: 5b232cddc25297b7219d385c02b54cd532ef4e226139f03d06a9c04090d36c10
Opcode Fuzzy Hash: 7ec21136a85a1ca5851f21a250507a417a6b4410f1b10e09c93a8680ef8806e6
Instruction Fuzzy Hash: 3C01D4710082809BE7105B12CDC4BF6BFD8DF41368F18859AE9055A646EBBD9C44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.343157661.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bbd000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0222fd47f5bd1d092f154dad9de94f83a675affc80df303073ffa9ba86263e75
Instruction ID: aba48a05d7f50fd7c2889833e0381ed84e0c7f1bbd4a1bc8e1af2b8d4bfdd28f
Opcode Fuzzy Hash: 0222fd47f5bd1d092f154dad9de94f83a675affc80df303073ffa9ba86263e75
Instruction Fuzzy Hash: 9EF0C2714042849FE7108F16CC88BA2FFD8EB81374F18C45AED085B286D3B89C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0A5DF0B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31ceb67c42c6a37a2ad48f915c4419f026c24e212952dadcd795d238ffe6297
Instruction ID: fb0b28ad9aad6590b76f549421006b6731a468979fa70d0d6a3864ae21c307d1
Opcode Fuzzy Hash: b31ceb67c42c6a37a2ad48f915c4419f026c24e212952dadcd795d238ffe6297
Instruction Fuzzy Hash: DCF0A535D10208EFCB54DFA8D944A9DBBB5FB4C314F10C1AAAC18A3350D7329A55DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0A5D8698 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515e75d10afe5f8f30b689162ccff361291b2606096af5744453a651839fa23c
Instruction ID: a6e4dcfd6e9af5a1b3c6159aebcef877b7fa7e1906d2ceea97fe0941adc4a5da
Opcode Fuzzy Hash: 515e75d10afe5f8f30b689162ccff361291b2606096af5744453a651839fa23c
Instruction Fuzzy Hash: 10E07574E15208AFCB54DFA9E54569DBBF4EB48314F2481AA9818A3340D736AA46CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0A5DECB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec00f61ab559074ac45baa904229479dc77a9b7dc6aa402c362bacc39cdec713
Instruction ID: 1f1af3512d0f5565506d37ffd5d9e1b43f93e5f50477c5bf7fcb6f558af49c9e
Opcode Fuzzy Hash: ec00f61ab559074ac45baa904229479dc77a9b7dc6aa402c362bacc39cdec713
Instruction Fuzzy Hash: DEE0E534E11208EFCB84DFA9E549A9CBBF4FB48310F1080AAD808E7320D7309A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0A5D7468 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef10f99cbc422b31385c309e7dd9c08251906d4face0c6f186d33e892681f943
Instruction ID: 30b061130b24e45c581c0e7fc42caed2da16fac213de0247b65b4e599f18bb3f
Opcode Fuzzy Hash: ef10f99cbc422b31385c309e7dd9c08251906d4face0c6f186d33e892681f943
Instruction Fuzzy Hash: F4E0C27342120CEFCB61EFB4E50868E7FB8FB0A204F1040B5D506E3220EB314E948BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0A5DEF08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19eb5abad7f0e84459258c9ae1e481eea7b7be829e83624e747abaadbedc4c88
Instruction ID: 80a08f80cf085f43959068ff379a18123d3f86adf5186cb13f9e2ca627996b21
Opcode Fuzzy Hash: 19eb5abad7f0e84459258c9ae1e481eea7b7be829e83624e747abaadbedc4c88
Instruction Fuzzy Hash: D3E0C23281210DAFCB61FFB4D40068E7BE8FB09104F5000B5D50593260EA310E448BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0A5DFD78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.350880186.000000000A5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A5D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_a5d0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a7ec0472f1367590987c7fd108cc032095ea7590ece9c1307025434576b255
Instruction ID: 1be35c92bd86e53910895f2022a48553cc49cb38faf669a372ae782390c38566
Opcode Fuzzy Hash: f1a7ec0472f1367590987c7fd108cc032095ea7590ece9c1307025434576b255
Instruction Fuzzy Hash: 93E09234D15208EBCB54DF98E585A9CBBB4EB88214F2081AA9809A7344D732AA46CB85

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: .exePID: 3356, Parent PID: 4336COMMON

Executed Functions

Function 02791B6C Relevance: 3.5, Strings: 2, Instructions: 961COMMON

Download Yara Rule

Strings

R, xrefs: 02791B78
,, xrefs: 027920B7

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID: ,$R
API String ID: 0-3772432600
Opcode ID: 7fc0bf55470c854ebd56519ced2127507a1b37dea7305b5148c2ca91f8899551
Instruction ID: 61bb4b309c08b5643d64b4b5dc1747b060d2ccfb6c148c1026ca2d7bd1a151bd
Opcode Fuzzy Hash: 7fc0bf55470c854ebd56519ced2127507a1b37dea7305b5148c2ca91f8899551
Instruction Fuzzy Hash: 5702AC706002009FDB14EB74E894BAEB7E3AF85308F148569D415AF7A6EF74EC49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 027906A0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

TU, xrefs: 027906EE

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID: TU
API String ID: 0-2203159389
Opcode ID: 19a5aac83c444f7b56601ece3563569c9c2dce6d8cfc4e534b1b1e3d2d2c3cf5
Instruction ID: 8b1a2aa79bd3855c487e2af524156ea094f5e9b12bb90f50d000a206a3cb463c
Opcode Fuzzy Hash: 19a5aac83c444f7b56601ece3563569c9c2dce6d8cfc4e534b1b1e3d2d2c3cf5
Instruction Fuzzy Hash: 0451D379608205CFC706EFB5E9D488977B3AB8560D3108929D4099FB78EB31E94ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 027911B9 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b27c7aa8a540c3e75b1b4d39a4069b65481a0fdaae672c9ccf9d755f147cff
Instruction ID: 6685811c863f34e32cc5fc2040a792d702d9566b8288b11ee92bf1ccbc7a7262
Opcode Fuzzy Hash: d5b27c7aa8a540c3e75b1b4d39a4069b65481a0fdaae672c9ccf9d755f147cff
Instruction Fuzzy Hash: B3B13C747002148FDB18EB78D558AAD77F6AF88718F2584A9E406EB3A1DF35DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02790AB8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd24ef676c4f72d9ea42b4d8b7f8df6fc058cb9f84c09e259eef8f8c694c4c1
Instruction ID: 962c2d2bcfe12ffacad9db7cc5e3cc919f7b9a35d09681306d7a2ab8bb56d0bd
Opcode Fuzzy Hash: ffd24ef676c4f72d9ea42b4d8b7f8df6fc058cb9f84c09e259eef8f8c694c4c1
Instruction Fuzzy Hash: C851D030B202148FCB04DB79D454A9EBBF6EF89704F1580A9E405EF3A1DB75EC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 02790920 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b8799dd579a71258db7cf7d1813a42446dc1e0ac44df4dfad5d1debdb0cf7b
Instruction ID: e4aff3eefd84548cece125f64f9bda033f5baf9b3571c1b7c67d31a201b7dbf9
Opcode Fuzzy Hash: 80b8799dd579a71258db7cf7d1813a42446dc1e0ac44df4dfad5d1debdb0cf7b
Instruction Fuzzy Hash: E341C2307142048FDB15DB79D854A9EBBF6EF89344F1484A9E005EB3A1DB74DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02790DD0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f44bb07a212ea60d9ef38320715b747d6d4b0736e2aff29a1ca829a409f49de
Instruction ID: 813c3f1ca70cf3100c89c74d8a4cf09f71ff2ea05c5591db76bb397fac94be27
Opcode Fuzzy Hash: 5f44bb07a212ea60d9ef38320715b747d6d4b0736e2aff29a1ca829a409f49de
Instruction Fuzzy Hash: 2E41E770A202489FCF54EBB984552AEFBEBEF85304F148179D409E7741EB349E8287A1

Uniqueness

Uniqueness Score: -1.00%

Function 02790F3B Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796777b062eb80d3ffd4cfb5c7c8540ffb37093954e717488f8f39655951f9a5
Instruction ID: ebb8eac85d58f11030443d9c401f6049bfaf5a8ec0616a1c4f6919f2c6338064
Opcode Fuzzy Hash: 796777b062eb80d3ffd4cfb5c7c8540ffb37093954e717488f8f39655951f9a5
Instruction Fuzzy Hash: 2731F030B102458FCB54EB788852A6FBBF6AF8A204B1440BDE545EB3A1FF34DD018791

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507126377.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_e0d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094da0cb2e706eadb57214dc4baa7b12a0472c813b6821dca3d70fc62c001442
Instruction ID: ff6bce3ef2a5128fc6b3a319329ea2f50e1f41f97db9f889353d275d0fd79943
Opcode Fuzzy Hash: 094da0cb2e706eadb57214dc4baa7b12a0472c813b6821dca3d70fc62c001442
Instruction Fuzzy Hash: CA212571508300EFCB05CF94DDC0B66BB65FB88328F24C569E8056B696C336D89ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507126377.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_e0d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec4bf22f87963e83a50b0b7388a85d2f11b852c82f35d3508492d5de636f527
Instruction ID: d87a21067b938eca1cad20042b6bb2cd680b45882d134cf0df9c3966af0980de
Opcode Fuzzy Hash: eec4bf22f87963e83a50b0b7388a85d2f11b852c82f35d3508492d5de636f527
Instruction Fuzzy Hash: FA214571508200DFDB01CF84DDC0B66BF61FB8832CF248569EC091B686C336D889CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027905A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8960c538e7e8e6798cd577d586ad8c018e98ec661ec5686deac58144b192d2
Instruction ID: 9d02a306ac99bbd8327ae7fcc974747fefedb3f8b47c772de756b3e8a1efed31
Opcode Fuzzy Hash: 6e8960c538e7e8e6798cd577d586ad8c018e98ec661ec5686deac58144b192d2
Instruction Fuzzy Hash: 9C215132625766CFDF58AFB6F84977E36A46F84749B008439D817E22A0EF74C444CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507126377.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_e0d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74418e7eae0537ffbf11f8dbcccc0f1b66c7b0e45160c51b2e93c1ee146d1d9
Instruction ID: ecf9e28e538522c696b253dce81fd1fb04f8512e32e331af9ba00b6107eafa93
Opcode Fuzzy Hash: e74418e7eae0537ffbf11f8dbcccc0f1b66c7b0e45160c51b2e93c1ee146d1d9
Instruction Fuzzy Hash: EA21B476504240DFCB16CF50D9C4B16BF71FB84314F24C6A9DC041B656C336D8A6CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507126377.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_e0d000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction ID: 5924b52bd35d14e02163f5533218910f4bb126128ec2d2af6ecf247a4e8d3ca8
Opcode Fuzzy Hash: 443a7f9af640cd919331e281847f8d6becf020b849bdf04c35086449af5cbafc
Instruction Fuzzy Hash: 6011B176408280CFCB12CF54D9C4B16BF71FB84328F2486A9DC051B656C336D996CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02791031 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404f809be4529594f27cd35fb315a2d0d749a2b2a1cd4f691e2b8286e82922d2
Instruction ID: e32ad51b23a23809e792eddb2f2c6e019be2e84cbe312e1906db2875272accfa
Opcode Fuzzy Hash: 404f809be4529594f27cd35fb315a2d0d749a2b2a1cd4f691e2b8286e82922d2
Instruction Fuzzy Hash: 3F119A74B00205CFCB50EB7DD845A6AB7F6BF8825835944B8C00AEB321EB36EC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02791040 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f9a0d192ab9e3082d23b434a3246df8fc634501bbec9b66192aed4ff404ea3
Instruction ID: 7bfbd2c04b1a69e0e45c94fe78944be8963c1789c3fd7c0b75230014c6192eb4
Opcode Fuzzy Hash: 14f9a0d192ab9e3082d23b434a3246df8fc634501bbec9b66192aed4ff404ea3
Instruction Fuzzy Hash: 8111ED30B00200CFCB44EBBDD84596E77F6AF882483454478C00AEB320EB36DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02790A3D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228e5f60f6f624978bc19a41a33775a643beb624831a14895471dcb2e72a3c59
Instruction ID: 1941399601061ba368efeee62ef02cb3c1a676d9faee7e833dd26ae52be324d2
Opcode Fuzzy Hash: 228e5f60f6f624978bc19a41a33775a643beb624831a14895471dcb2e72a3c59
Instruction Fuzzy Hash: 33F0F9303183504FC746A339682445E7BE79FCA19431540B6E149DB3A2EE188C0A83A6

Uniqueness

Uniqueness Score: -1.00%

Function 02790673 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07839a36db6c6e5ca66217f992f290a5b689710dc3971744e87fc0ff3026bb25
Instruction ID: 2f3dfcab863aaf6252120a1d62ecbaabbd24a2ebdae7357d31d1ea96e0bdfb96
Opcode Fuzzy Hash: 07839a36db6c6e5ca66217f992f290a5b689710dc3971744e87fc0ff3026bb25
Instruction Fuzzy Hash: ACC012730157A1CEEB182BB2A908BA82A206BE0205F008095A02324AB0CF340848C602

Uniqueness

Uniqueness Score: -1.00%

Function 0279068F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.507467991.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2790000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca220f15691698803de77b09d7953e0dbfa5541a9186c1c3a0334aba3a2b107
Instruction ID: 6c8ce5234b706f620c9b33bde5b6e0c3a6a76c8485e4fe1b7eb0b67793d74a44
Opcode Fuzzy Hash: dca220f15691698803de77b09d7953e0dbfa5541a9186c1c3a0334aba3a2b107
Instruction Fuzzy Hash: 38C00277415762CEEB582BB6A949BAC2A246BE1305F048095A46768AB1CF740948CA52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BfwPdttqxH

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BfwPdttqxH.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dc33iso.2wh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qidwwvk3.wko.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3bd04b3.uye.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxtn0rnf.2ib.ps1

C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

C:\Users\user\AppData\Local\Temp\tmpD691.tmp

C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat

C:\Users\user\AppData\Roaming\.exe

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe:Zone.Identifier

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.c1En_sl3.20220805202448.txt

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.v9r7NV+a.20220805202421.txt

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

\Device\Null

Static File Info

Windows Analysis Report
BfwPdttqxH