Edit tour

Windows Analysis Report
FylY1FW6fl.exe

Overview

General Information

Sample name:	FylY1FW6fl.exe renamed because original name is a hash value
Original sample name:	ef8db8c775992ab8b93fccd7ded9c5cba67faba2bd0c1c6fff900fe87e79e62f.exe
Analysis ID:	1588136
MD5:	b1ebcd89d248f11a6bbee488bdecfc07
SHA1:	4ef62c22addafdae91dfc66d8fa5bc9fbd06cd2f
SHA256:	ef8db8c775992ab8b93fccd7ded9c5cba67faba2bd0c1c6fff900fe87e79e62f
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FylY1FW6fl.exe (PID: 1408 cmdline: "C:\Users\user\Desktop\FylY1FW6fl.exe" MD5: B1EBCD89D248F11A6BBEE488BDECFC07)

powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5088 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

FylY1FW6fl.exe (PID: 6152 cmdline: "C:\Users\user\Desktop\FylY1FW6fl.exe" MD5: B1EBCD89D248F11A6BBEE488BDECFC07)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "rock@supamemo.sbs", "Password": "W0kz);5}7i_aesKD", "Server": "mail.supamemo.sbs", "To": "rocee@supamemo.sbs", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xee6f:$a1: get_encryptedPassword 0xf197:$a2: get_encryptedUsername 0xec0a:$a3: get_timePasswordChanged 0xed2b:$a4: get_passwordField 0xee85:$a5: set_encryptedPassword 0x107d6:$a7: get_logins 0x10487:$a8: GetOutlookPasswords 0x10279:$a9: StartKeylogger 0x10726:$a10: KeyLoggerEventArgs 0x102d6:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3a177:$a1: get_encryptedPassword 0x50b97:$a1: get_encryptedPassword 0x3a49f:$a2: get_encryptedUsername 0x50ebf:$a2: get_encryptedUsername 0x39f12:$a3: get_timePasswordChanged 0x50932:$a3: get_timePasswordChanged 0x3a033:$a4: get_passwordField 0x50a53:$a4: get_passwordField 0x3a18d:$a5: set_encryptedPassword 0x50bad:$a5: set_encryptedPassword 0x3bade:$a7: get_logins 0x524fe:$a7: get_logins 0x3b78f:$a8: GetOutlookPasswords 0x521af:$a8: GetOutlookPasswords 0x3b581:$a9: StartKeylogger 0x51fa1:$a9: StartKeylogger 0x3ba2e:$a10: KeyLoggerEventArgs 0x5244e:$a10: KeyLoggerEventArgs 0x3b5de:$a11: KeyLoggerEventArgsEventHandler 0x51ffe:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2475218687.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x241ac7:$a1: get_encryptedPassword 0x241def:$a2: get_encryptedUsername 0x241862:$a3: get_timePasswordChanged 0x241983:$a4: get_passwordField 0x241add:$a5: set_encryptedPassword 0x24342e:$a7: get_logins 0x2430df:$a8: GetOutlookPasswords 0x242ed1:$a9: StartKeylogger 0x24337e:$a10: KeyLoggerEventArgs 0x242f2e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FylY1FW6fl.exe PID: 1408	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 1408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 1408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 1408	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 1408	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5d509:$a1: get_encryptedPassword 0x64d5d:$a1: get_encryptedPassword 0x5d76c:$a2: get_encryptedUsername 0x65076:$a2: get_encryptedUsername 0x5d2cb:$a3: get_timePasswordChanged 0x64b0c:$a3: get_timePasswordChanged 0x5d3e0:$a4: get_passwordField 0x64c2d:$a4: get_passwordField 0x5d51f:$a5: set_encryptedPassword 0x64d73:$a5: set_encryptedPassword 0x5e912:$a7: get_logins 0x6666b:$a7: get_logins 0x5e66f:$a8: GetOutlookPasswords 0x6631c:$a8: GetOutlookPasswords 0x5e4dd:$a9: StartKeylogger 0x6610e:$a9: StartKeylogger 0x5e877:$a10: KeyLoggerEventArgs 0x665bb:$a10: KeyLoggerEventArgs 0x5e53a:$a11: KeyLoggerEventArgsEventHandler 0x6616b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FylY1FW6fl.exe PID: 6152	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 6152	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 6152	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FylY1FW6fl.exe PID: 6152	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x51ccd:$a1: get_encryptedPassword 0x51fe6:$a2: get_encryptedUsername 0x51a7c:$a3: get_timePasswordChanged 0x51b9d:$a4: get_passwordField 0x51ce3:$a5: set_encryptedPassword 0x535db:$a7: get_logins 0x5328c:$a8: GetOutlookPasswords 0x5307e:$a9: StartKeylogger 0x5352b:$a10: KeyLoggerEventArgs 0x530db:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf06f:$a1: get_encryptedPassword 0xf397:$a2: get_encryptedUsername 0xee0a:$a3: get_timePasswordChanged 0xef2b:$a4: get_passwordField 0xf085:$a5: set_encryptedPassword 0x109d6:$a7: get_logins 0x10687:$a8: GetOutlookPasswords 0x10479:$a9: StartKeylogger 0x10926:$a10: KeyLoggerEventArgs 0x104d6:$a11: KeyLoggerEventArgsEventHandler
0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13ffd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x134fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x13809:$a4: \Orbitum\User Data\Default\Login Data 0x14601:$a5: \Kometa\User Data\Default\Login Data
0.2.FylY1FW6fl.exe.40c4108.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FylY1FW6fl.exe.40c4108.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FylY1FW6fl.exe.40c4108.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FylY1FW6fl.exe.40c4108.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd26f:$a1: get_encryptedPassword 0xd597:$a2: get_encryptedUsername 0xd00a:$a3: get_timePasswordChanged 0xd12b:$a4: get_passwordField 0xd285:$a5: set_encryptedPassword 0xebd6:$a7: get_logins 0xe887:$a8: GetOutlookPasswords 0xe679:$a9: StartKeylogger 0xeb26:$a10: KeyLoggerEventArgs 0xe6d6:$a11: KeyLoggerEventArgsEventHandler
0.2.FylY1FW6fl.exe.40c4108.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x121fd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x116fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a09:$a4: \Orbitum\User Data\Default\Login Data 0x12801:$a5: \Kometa\User Data\Default\Login Data
0.2.FylY1FW6fl.exe.40dab28.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FylY1FW6fl.exe.40dab28.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FylY1FW6fl.exe.40dab28.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FylY1FW6fl.exe.40dab28.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd26f:$a1: get_encryptedPassword 0xd597:$a2: get_encryptedUsername 0xd00a:$a3: get_timePasswordChanged 0xd12b:$a4: get_passwordField 0xd285:$a5: set_encryptedPassword 0xebd6:$a7: get_logins 0xe887:$a8: GetOutlookPasswords 0xe679:$a9: StartKeylogger 0xeb26:$a10: KeyLoggerEventArgs 0xe6d6:$a11: KeyLoggerEventArgsEventHandler
0.2.FylY1FW6fl.exe.40dab28.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x121fd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x116fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a09:$a4: \Orbitum\User Data\Default\Login Data 0x12801:$a5: \Kometa\User Data\Default\Login Data
4.2.FylY1FW6fl.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.FylY1FW6fl.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.FylY1FW6fl.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.FylY1FW6fl.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf06f:$a1: get_encryptedPassword 0xf397:$a2: get_encryptedUsername 0xee0a:$a3: get_timePasswordChanged 0xef2b:$a4: get_passwordField 0xf085:$a5: set_encryptedPassword 0x109d6:$a7: get_logins 0x10687:$a8: GetOutlookPasswords 0x10479:$a9: StartKeylogger 0x10926:$a10: KeyLoggerEventArgs 0x104d6:$a11: KeyLoggerEventArgsEventHandler
4.2.FylY1FW6fl.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13ffd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x134fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x13809:$a4: \Orbitum\User Data\Default\Login Data 0x14601:$a5: \Kometa\User Data\Default\Login Data
0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x69e8f:$a1: get_encryptedPassword 0x6a1b7:$a2: get_encryptedUsername 0x69c2a:$a3: get_timePasswordChanged 0x69d4b:$a4: get_passwordField 0x69ea5:$a5: set_encryptedPassword 0x6b7f6:$a7: get_logins 0x6b4a7:$a8: GetOutlookPasswords 0x6b299:$a9: StartKeylogger 0x6b746:$a10: KeyLoggerEventArgs 0x6b2f6:$a11: KeyLoggerEventArgsEventHandler
0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x6ee1d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6e31b:$a3: \Google\Chrome\User Data\Default\Login Data 0x6e629:$a4: \Orbitum\User Data\Default\Login Data 0x6f421:$a5: \Kometa\User Data\Default\Login Data
0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf06f:$a1: get_encryptedPassword 0x25a8f:$a1: get_encryptedPassword 0xf397:$a2: get_encryptedUsername 0x25db7:$a2: get_encryptedUsername 0xee0a:$a3: get_timePasswordChanged 0x2582a:$a3: get_timePasswordChanged 0xef2b:$a4: get_passwordField 0x2594b:$a4: get_passwordField 0xf085:$a5: set_encryptedPassword 0x25aa5:$a5: set_encryptedPassword 0x109d6:$a7: get_logins 0x273f6:$a7: get_logins 0x10687:$a8: GetOutlookPasswords 0x270a7:$a8: GetOutlookPasswords 0x10479:$a9: StartKeylogger 0x26e99:$a9: StartKeylogger 0x10926:$a10: KeyLoggerEventArgs 0x27346:$a10: KeyLoggerEventArgs 0x104d6:$a11: KeyLoggerEventArgsEventHandler 0x26ef6:$a11: KeyLoggerEventArgsEventHandler
0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13ffd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2aa1d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x134fb:$a3: \Google\Chrome\User Data\Default\Login Data 0x29f1b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13809:$a4: \Orbitum\User Data\Default\Login Data 0x2a229:$a4: \Orbitum\User Data\Default\Login Data 0x14601:$a5: \Kometa\User Data\Default\Login Data 0x2b021:$a5: \Kometa\User Data\Default\Login Data
0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc4eaf:$a1: get_encryptedPassword 0xc51d7:$a2: get_encryptedUsername 0xc4c4a:$a3: get_timePasswordChanged 0xc4d6b:$a4: get_passwordField 0xc4ec5:$a5: set_encryptedPassword 0xc6816:$a7: get_logins 0xc64c7:$a8: GetOutlookPasswords 0xc62b9:$a9: StartKeylogger 0xc6766:$a10: KeyLoggerEventArgs 0xc6316:$a11: KeyLoggerEventArgsEventHandler
0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xc9e3d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc933b:$a3: \Google\Chrome\User Data\Default\Login Data 0xc9649:$a4: \Orbitum\User Data\Default\Login Data 0xca441:$a5: \Kometa\User Data\Default\Login Data
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FylY1FW6fl.exe", ParentImage: C:\Users\user\Desktop\FylY1FW6fl.exe, ParentProcessId: 1408, ParentProcessName: FylY1FW6fl.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe", ProcessId: 5248, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FylY1FW6fl.exe", ParentImage: C:\Users\user\Desktop\FylY1FW6fl.exe, ParentProcessId: 1408, ParentProcessName: FylY1FW6fl.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe", ProcessId: 5248, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:46:33.704097+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "rock@supamemo.sbs", "Password": "W0kz);5}7i_aesKD", "Server": "mail.supamemo.sbs", "To": "rocee@supamemo.sbs", "Port": 587}

Multi AV Scanner detection for submitted file

Source: FylY1FW6fl.exe	Virustotal: Detection: 74%			Perma Link
Source: FylY1FW6fl.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FylY1FW6fl.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FylY1FW6fl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49703 version: TLS 1.0

Source: FylY1FW6fl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 02989731h	4_2_02989480
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 02989E5Ah	4_2_02989A40
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 02989E5Ah	4_2_02989A30
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 02989E5Ah	4_2_02989D87
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056362B5h	4_2_056360D8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05636C3Fh	4_2_056360D8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056318A0h	4_2_056315F8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05633840h	4_2_05633598
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056326E0h	4_2_05632438
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05630740h	4_2_05630498
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056349A0h	4_2_056346F8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056333E8h	4_2_05633140
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then mov esp, ebp	4_2_05639120
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_056351E8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05631448h	4_2_056311A0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056302E8h	4_2_05630040
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05634548h	4_2_056342A0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05630FF0h	4_2_05630D48
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05632F90h	4_2_05632CE8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 056340F0h	4_2_05633E48
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05632152h	4_2_05631EA8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05633C98h	4_2_056339F0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_056359FB
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_0563581B
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05630B98h	4_2_056308F0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05632B38h	4_2_05632890
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05634DF8h	4_2_05634B50
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4x nop then jmp 05631CF8h	4_2_05631A50

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49703 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: FylY1FW6fl.exe, 00000000.00000002.1243702755.000000000323C000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_055BD74C	0_2_055BD74C
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F55E8	0_2_078F55E8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6458	0_2_078F6458
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FD280	0_2_078FD280
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F42F0	0_2_078F42F0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FBC58	0_2_078FBC58
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FDB80	0_2_078FDB80
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F4BB0	0_2_078F4BB0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F3793	0_2_078F3793
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F37A0	0_2_078F37A0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F8739	0_2_078F8739
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F8748	0_2_078F8748
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FC638	0_2_078FC638
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FC648	0_2_078FC648
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F55DB	0_2_078F55DB
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F8530	0_2_078F8530
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F8540	0_2_078F8540
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6391	0_2_078F6391
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F633A	0_2_078F633A
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F7338	0_2_078F7338
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F7331	0_2_078F7331
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6371	0_2_078F6371
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F42DF	0_2_078F42DF
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F42EF	0_2_078F42EF
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FC241	0_2_078FC241
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FC250	0_2_078FC250
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F4250	0_2_078F4250
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FD270	0_2_078FD270
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FE120	0_2_078FE120
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FE130	0_2_078FE130
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5048	0_2_078F5048
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5047	0_2_078F5047
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FBF00	0_2_078FBF00
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FBF10	0_2_078FBF10
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FBC48	0_2_078FBC48
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F4BAF	0_2_078F4BAF
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F8BB8	0_2_078F8BB8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F8BB7	0_2_078F8BB7
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FDB70	0_2_078FDB70
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FCA08	0_2_078FCA08
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FCA07	0_2_078FCA07
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F89D8	0_2_078F89D8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F89D7	0_2_078F89D7
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FC820	0_2_078FC820
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_0298C530	4_2_0298C530
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_02989480	4_2_02989480
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_0298C521	4_2_0298C521
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_02982DD1	4_2_02982DD1
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_0298946F	4_2_0298946F
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05638030	4_2_05638030
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056360D8	4_2_056360D8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05637390	4_2_05637390
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05636D48	4_2_05636D48
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056379E0	4_2_056379E0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056315E8	4_2_056315E8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056315F8	4_2_056315F8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05633588	4_2_05633588
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05633598	4_2_05633598
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05632427	4_2_05632427
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05632438	4_2_05632438
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05630488	4_2_05630488
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05630498	4_2_05630498
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056346E9	4_2_056346E9
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056346F8	4_2_056346F8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056386B0	4_2_056386B0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_0563869F	4_2_0563869F
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05633140	4_2_05633140
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05633132	4_2_05633132
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056351E8	4_2_056351E8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056351D8	4_2_056351D8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056311A0	4_2_056311A0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05631190	4_2_05631190
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05630040	4_2_05630040
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05638024	4_2_05638024
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05630007	4_2_05630007
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056360C9	4_2_056360C9
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05637380	4_2_05637380
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056342A0	4_2_056342A0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05634290	4_2_05634290
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05630D48	4_2_05630D48
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05636D37	4_2_05636D37
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05630D39	4_2_05630D39
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05632CE8	4_2_05632CE8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05632CD8	4_2_05632CD8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05633E48	4_2_05633E48
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05633E38	4_2_05633E38
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05631EA8	4_2_05631EA8
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05631E9A	4_2_05631E9A
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056339E2	4_2_056339E2
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056339F0	4_2_056339F0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056379D0	4_2_056379D0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056308E1	4_2_056308E1
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_056308F0	4_2_056308F0
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05632880	4_2_05632880
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05632890	4_2_05632890
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05634B40	4_2_05634B40
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05634B50	4_2_05634B50
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05631A40	4_2_05631A40
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_05631A50	4_2_05631A50

Source: FylY1FW6fl.exe, 00000000.00000000.1227567997.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedbPa.exe4 vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1242169245.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1251195476.000000000A4E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1248851723.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000000.00000002.1243702755.000000000323C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe, 00000004.00000002.2472937490.00000000009F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FylY1FW6fl.exe
Source: FylY1FW6fl.exe	Binary or memory string: OriginalFilenamedbPa.exe4 vs FylY1FW6fl.exe

Source: FylY1FW6fl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: FylY1FW6fl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FylY1FW6fl.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvl14bdx.2j1.ps1

Jump to behavior

Source: FylY1FW6fl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FylY1FW6fl.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002BAE000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002BBE000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2476383811.0000000003AFD000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002BED000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FylY1FW6fl.exe	Virustotal: Detection: 74%
Source: FylY1FW6fl.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\FylY1FW6fl.exe "C:\Users\user\Desktop\FylY1FW6fl.exe"
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe"
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Users\user\Desktop\FylY1FW6fl.exe "C:\Users\user\Desktop\FylY1FW6fl.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Users\user\Desktop\FylY1FW6fl.exe "C:\Users\user\Desktop\FylY1FW6fl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FylY1FW6fl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FylY1FW6fl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F77F7 push esi; ret	0_2_078F7806
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F542B push ecx; ret	0_2_078F5436
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6302 push edx; ret	0_2_078F6304
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6224 push eax; ret	0_2_078F6225
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6157 push edx; ret	0_2_078F6159
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F6092 push ebx; ret	0_2_078F6094
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FD04B push CC078FCCh; retf	0_2_078FD051
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078FE05B pushfd ; ret	0_2_078FE061
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5F00 push eax; ret	0_2_078F5F02
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F4ED8 push ebx; ret	0_2_078F4EE6
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5CAA push esi; ret	0_2_078F5CAC
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5CD8 push eax; ret	0_2_078F5CE7
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5937 push ebx; ret	0_2_078F5938
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5972 push ebx; ret	0_2_078F5974
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5880 push edx; ret	0_2_078F5882
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 0_2_078F5854 push ebx; ret	0_2_078F5856
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Code function: 4_2_0563BCDF push esp; retf	4_2_0563BD19

Source: FylY1FW6fl.exe

Static PE information: section name: .text entropy: 7.595029409985664

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 5090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 7A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 8BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: A540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: B540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: C540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5669			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4140			Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe TID: 7152	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 60	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: FylY1FW6fl.exe, 00000000.00000002.1242169245.0000000001315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\,o
Source: FylY1FW6fl.exe, 00000004.00000002.2473880158.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe"
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe"			Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe"			Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Process created: C:\Users\user\Desktop\FylY1FW6fl.exe "C:\Users\user\Desktop\FylY1FW6fl.exe"			Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Users\user\Desktop\FylY1FW6fl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Users\user\Desktop\FylY1FW6fl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FylY1FW6fl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\FylY1FW6fl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FylY1FW6fl.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2475218687.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40dab28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FylY1FW6fl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4adac38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.40c4108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FylY1FW6fl.exe.4a7fc18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FylY1FW6fl.exe PID: 6152, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FylY1FW6fl.exe	74%	Virustotal		Browse
FylY1FW6fl.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
FylY1FW6fl.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FylY1FW6fl.exe, 00000000.00000002.1243702755.000000000323C000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2475218687.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, FylY1FW6fl.exe, 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588136
Start date and time:	2025-01-10 21:45:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FylY1FW6fl.exe renamed because original name is a hash value
Original Sample Name:	ef8db8c775992ab8b93fccd7ded9c5cba67faba2bd0c1c6fff900fe87e79e62f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 48
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:46:30	API Interceptor	2x Sleep call for process: FylY1FW6fl.exe modified
15:46:31	API Interceptor	12x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
104.21.32.1	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
checkip.dyndns.com	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1

Process:	C:\Users\user\Desktop\FylY1FW6fl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	F9B7CF60C22DBE6B73266580FFD54629
SHA1:	05ED734C0A5EF2ECD025D4E39321ECDC96612623
SHA-256:	880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
SHA-512:	F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1y4101cz.glp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knplpcic.nzw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvl14bdx.2j1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yc0fkyo0.whj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.589386827651128
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	FylY1FW6fl.exe
File size:	684'032 bytes
MD5:	b1ebcd89d248f11a6bbee488bdecfc07
SHA1:	4ef62c22addafdae91dfc66d8fa5bc9fbd06cd2f
SHA256:	ef8db8c775992ab8b93fccd7ded9c5cba67faba2bd0c1c6fff900fe87e79e62f
SHA512:	48c23a05c14348ff2ad8137a14b111fecc000d0490ae2df50d2f7d84e9b93bcd7e499a2ac18ab8d5c92dcda45b6d33c89562d154463fb5679059a223cee49830
SSDEEP:	12288:0iMKhM39TXsTAiALDKuxoMpn0c7TX2XRRfjgx6M0XiKu8h2cWp18:bMaciJuxPL7TXeRfjgwXluGy1
TLSH:	95E4BFC03F3AB312DE6CB434852AEDB862592E74B104B9F36EDD3B5776991129A0CF14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RYg..............0..X...........v... ........@.. ....................................@................................

File Icon


Icon Hash:	335153b476545533

Static PE Info

General

Entrypoint:	0x4a76be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67595200 [Wed Dec 11 08:49:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F1C08AE3A92h
je 00007F1C08AE3A92h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007F1C08AE3A92h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007F1C08AE3A92h
jnc 00007F1C08AE3A92h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa766c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x1294	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa5704	0xa5800	714743b6e379bb120a766544a0792d77	False	0.8523428648980362	data	7.595029409985664	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x1294	0x1400	70065f33e1204a7ab9b3eff71d9ab8ed	False	0.7890625	data	6.741947251644161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	638ca8454a4faacfd287f263cbd07650	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa80c8	0xed4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9444151738672286
RT_GROUP_ICON	0xa8fac	0x14	data	1.05
RT_VERSION	0xa8fd0	0x2be	data	0.4658119658119658

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:46:33.704097+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49701	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:46:32.565464020 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:46:32.571803093 CET	80	49701	132.226.8.169	192.168.2.7
Jan 10, 2025 21:46:32.571883917 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:46:32.572132111 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:46:32.577290058 CET	80	49701	132.226.8.169	192.168.2.7
Jan 10, 2025 21:46:33.380412102 CET	80	49701	132.226.8.169	192.168.2.7
Jan 10, 2025 21:46:33.385458946 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:46:33.390327930 CET	80	49701	132.226.8.169	192.168.2.7
Jan 10, 2025 21:46:33.662003994 CET	80	49701	132.226.8.169	192.168.2.7
Jan 10, 2025 21:46:33.682529926 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:33.682549953 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:33.683044910 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:33.689646959 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:33.689657927 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:33.704097033 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:46:34.163556099 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:34.163654089 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:34.170244932 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:34.170252085 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:34.170542002 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:34.219564915 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:34.226138115 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:34.267322063 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:34.340730906 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:34.340781927 CET	443	49703	104.21.32.1	192.168.2.7
Jan 10, 2025 21:46:34.340881109 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:46:34.350656986 CET	49703	443	192.168.2.7	104.21.32.1
Jan 10, 2025 21:47:38.661099911 CET	80	49701	132.226.8.169	192.168.2.7
Jan 10, 2025 21:47:38.661190033 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:48:13.673903942 CET	49701	80	192.168.2.7	132.226.8.169
Jan 10, 2025 21:48:13.678817034 CET	80	49701	132.226.8.169	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:46:32.519125938 CET	65200	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:46:32.527332067 CET	53	65200	1.1.1.1	192.168.2.7
Jan 10, 2025 21:46:33.674303055 CET	52024	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:46:33.681689978 CET	53	52024	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:46:32.519125938 CET	192.168.2.7	1.1.1.1	0xb353	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.674303055 CET	192.168.2.7	1.1.1.1	0xf238	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:46:32.527332067 CET	1.1.1.1	192.168.2.7	0xb353	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:46:32.527332067 CET	1.1.1.1	192.168.2.7	0xb353	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:32.527332067 CET	1.1.1.1	192.168.2.7	0xb353	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:32.527332067 CET	1.1.1.1	192.168.2.7	0xb353	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:32.527332067 CET	1.1.1.1	192.168.2.7	0xb353	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:32.527332067 CET	1.1.1.1	192.168.2.7	0xb353	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:46:33.681689978 CET	1.1.1.1	192.168.2.7	0xf238	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	132.226.8.169	80	6152	C:\Users\user\Desktop\FylY1FW6fl.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:46:32.572132111 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:46:33.380412102 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:46:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:46:33.385458946 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:46:33.662003994 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:46:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	104.21.32.1	443	6152	C:\Users\user\Desktop\FylY1FW6fl.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:46:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:46:34 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:46:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1856783 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=riQatBmpxY7IR%2FAXw%2BbvDbG1EYu3X4pPzq7Imd%2BMlgA3Z1zdZhU71WDBlmz2oVKkmE47Nzwqmnhkf4LxLbgs3kfDB1BcWonZVPFQ8B72QAdqWNw6zlbbY%2FidoRX2Ny8D%2BvlQsSUt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff84683ef61875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1927&min_rtt=1577&rtt_var=1292&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=666362&cwnd=153&unsent_bytes=0&cid=b1174a6a2ad8f093&ts=193&x=0"
2025-01-10 20:46:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	15:46:29
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FylY1FW6fl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FylY1FW6fl.exe"
Imagebase:	0xda0000
File size:	684'032 bytes
MD5 hash:	B1EBCD89D248F11A6BBEE488BDECFC07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1244205988.0000000004099000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1244205988.0000000004903000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:46:30
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FylY1FW6fl.exe"
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:46:30
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FylY1FW6fl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FylY1FW6fl.exe"
Imagebase:	0x7c0000
File size:	684'032 bytes
MD5 hash:	B1EBCD89D248F11A6BBEE488BDECFC07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2472600878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2475218687.0000000002BF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:46:30
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:46:32
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	98
Total number of Limit Nodes:	7

Executed Functions

Function 078F633A Relevance: 2.9, Strings: 2, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 078F6724
ry, xrefs: 078F672B

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: ry$ry
API String ID: 0-883804406
Opcode ID: 5c5488115f39bb4647ffb5a32fa66403bdd3fd117da7228f28a02499fde845f1
Instruction ID: b8acd4ef6814fd9c8626403c43c29c001d30e24294f8e90d472868a619ef08d0
Opcode Fuzzy Hash: 5c5488115f39bb4647ffb5a32fa66403bdd3fd117da7228f28a02499fde845f1
Instruction Fuzzy Hash: 2BF1BEB5E1420ADFCB04DFA9D4814AEFBB2FF99310B20865AD505EB244E735A946CF90

Function 078F6391 Relevance: 2.9, Strings: 2, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 078F6724
ry, xrefs: 078F672B

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: ry$ry
API String ID: 0-883804406
Opcode ID: 7134ea2693703fbe10eb6c2ef83e1c5f7129639356cbae1c4006be45f84e1811
Instruction ID: a987e60de8e4246716eeb4345c105321370a7e667976502deed983434f8e321f
Opcode Fuzzy Hash: 7134ea2693703fbe10eb6c2ef83e1c5f7129639356cbae1c4006be45f84e1811
Instruction Fuzzy Hash: FEE1BEB5E1420ADFCB04DFA9D4814AEFBB2FF99310F20865AD505EB244E735A946CF90

Function 078F6371 Relevance: 2.8, Strings: 2, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 078F6724
ry, xrefs: 078F672B

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: ry$ry
API String ID: 0-883804406
Opcode ID: ef9ada4a8f577eafeb4d4893e5f30ba8df79cccc60756e6b5c7fcd49fb76d4b5
Instruction ID: 2d981c439d5b365546547a445ff01b3be03bc71d09ca3cc067035d7cdd6f8ffb
Opcode Fuzzy Hash: ef9ada4a8f577eafeb4d4893e5f30ba8df79cccc60756e6b5c7fcd49fb76d4b5
Instruction Fuzzy Hash: A3E17AB4E1420ADFCB04DFA9D4859AEFBB2FF99300F108659D605EB244E734A946CF94

Function 078F6458 Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 078F6724
ry, xrefs: 078F672B

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: ry$ry
API String ID: 0-883804406
Opcode ID: 60cb2bb6895491035b8ef319e4ca9b5e6a1961dcc099d8e50f475a4f1a8a19bf
Instruction ID: 0208df01bd0cc3bc928cf3532b185b4e40d59b4e266a3613608a2b033e185384
Opcode Fuzzy Hash: 60cb2bb6895491035b8ef319e4ca9b5e6a1961dcc099d8e50f475a4f1a8a19bf
Instruction Fuzzy Hash: E2C126B0E1421ADFCB04DFA9C4858AEFBB2FF99300B108659D615EB354D734AA42CF94

Function 078FD280 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 078FD3F0
UC;", xrefs: 078FD46E

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 7f9be8c15de10f73de91125ba948704fb82453975a9590e241e0880d11e67a78
Instruction ID: 7a1dcd1fbffb8673dae05970a59b6c1a1d7b72e7dd1115b7b96fcdada4556537
Opcode Fuzzy Hash: 7f9be8c15de10f73de91125ba948704fb82453975a9590e241e0880d11e67a78
Instruction Fuzzy Hash: 00911AB5E2520DDFCB08CFE5D89059EFBB2EF99310F10942AE619AB264D7309542CF54

Function 078FD270 Relevance: 2.7, Strings: 2, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 078FD3F0
UC;", xrefs: 078FD46E

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 61f5f55945494eda1fdf8df69cae9165ae006ca5b5dce37b0f2d2db839fc2132
Instruction ID: 90f3b4e33789661ca83a6fc85ebd31aac0b30045ed9c7b287dff2c78213b3c00
Opcode Fuzzy Hash: 61f5f55945494eda1fdf8df69cae9165ae006ca5b5dce37b0f2d2db839fc2132
Instruction Fuzzy Hash: DC912AB1E2520DDFCB08CFA5D99059EFBB2EF89310F10942AE619E7264D730A941CF54

Function 078F4250 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

z^I, xrefs: 078F44B1

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: c5f9adcc997697b687f5463cbacaef7b6486a92f1c7dd9d47f352f5e017becd6
Instruction ID: 7d12689c66c3ab29a65572ffcf5de34b134ef2db631ae9744c6ee6795ef3be74
Opcode Fuzzy Hash: c5f9adcc997697b687f5463cbacaef7b6486a92f1c7dd9d47f352f5e017becd6
Instruction Fuzzy Hash: 5AB135B5E1425ACFCB04CFA9D880ADEFBB2FF89310F24902AD459AB214D7349946CF54

Function 078F42DF Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

z^I, xrefs: 078F44B1

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: d1b9449f50b047a4b3d0ce547869fbf35bb65c8b53d1bd0448f43e69af428cf4
Instruction ID: 980a13f8dfd99171ca13f84caaaa147cbf93fca5e2094182efcc3d644fce233a
Opcode Fuzzy Hash: d1b9449f50b047a4b3d0ce547869fbf35bb65c8b53d1bd0448f43e69af428cf4
Instruction Fuzzy Hash: 77A134B4E142598FCB04CFE9C884ADEFBB2FF89310F20952AD419AB258D7349946CF54

Function 078F42F0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

z^I, xrefs: 078F44B1

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 6f3e82f04bacaf66021efc987ed84d20afc48ca4539de1d23766aded092c6d50
Instruction ID: ac8ae0898b61543d1fe657c4a3b5a7462fcdb528994653ff3389e5b3f4667893
Opcode Fuzzy Hash: 6f3e82f04bacaf66021efc987ed84d20afc48ca4539de1d23766aded092c6d50
Instruction Fuzzy Hash: D791D3B4E142198FCB08CFEAC584A9EFBB2FF89314F24942AD519BB264D7349905CF54

Function 078F42EF Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

z^I, xrefs: 078F44B1

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 520728190fab8c180d4360dae3b017211aa99a050ca91afb48fe1e64da7ad6c6
Instruction ID: 5d5f088cc18e777a3daab45d7c820e2fde7c7fabf19c979215ee788f8bc1f40d
Opcode Fuzzy Hash: 520728190fab8c180d4360dae3b017211aa99a050ca91afb48fe1e64da7ad6c6
Instruction Fuzzy Hash: 4391D3B4E142198FDB08CFE9C584A9EFBB2FF89304F24942AD519BB268D7349905CF54

Function 078FBC48 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

5=6, xrefs: 078FBD86

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 6c0864e4bd905e54646010e843d656275cec391b50f1b2c5d520d6825ab3d26e
Instruction ID: 3ebd36c604b8037d177367a99723a0da60f444f91d780d9348660ce55f1156ef
Opcode Fuzzy Hash: 6c0864e4bd905e54646010e843d656275cec391b50f1b2c5d520d6825ab3d26e
Instruction Fuzzy Hash: E4714AB4E1520E9FCB04DFA6D8414AEFFB6FF89221F10E92AD115E7254DB349A018F64

Function 078FBC58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 078FBD86

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: b27ce22e25750924bdbce440472878cd9b37d17a37217d4538e35c35aac6ce63
Instruction ID: 19085d1db1ac8d4b8dcb9a333f487eba1aed022bc5441293703c5bb5462b37a5
Opcode Fuzzy Hash: b27ce22e25750924bdbce440472878cd9b37d17a37217d4538e35c35aac6ce63
Instruction Fuzzy Hash: 53613AB4E1520E9FCB04CFA6D8414AEFFB6FF89221F10A92AD116E7254DB349A018F54

Function 078F4BB0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

-2m, xrefs: 078F4CC3

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 8b02d0c672e74073cad082a449f910485fa0e192888f373f4d04c6d9f8d9e59e
Instruction ID: c87fd1f41c7a82ceca993add5b50bd8be76324c7f28e5e21de02bb6aa9e942e7
Opcode Fuzzy Hash: 8b02d0c672e74073cad082a449f910485fa0e192888f373f4d04c6d9f8d9e59e
Instruction Fuzzy Hash: 25512AB4E142598FDB08CF9AD5806AEFBF2FF89310F24D06AD519F7254D73459408B64

Function 078F4BAF Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

-2m, xrefs: 078F4CC3

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 0825f63f0b835bb0302fb85fc7cec7ad546fb6a2bf44682f63981c70796e88f0
Instruction ID: a7dbcd85bfc673ef40d2544be292ca9547540ff4b33e5001971a5f55d7d0d6bc
Opcode Fuzzy Hash: 0825f63f0b835bb0302fb85fc7cec7ad546fb6a2bf44682f63981c70796e88f0
Instruction Fuzzy Hash: 665148B0E142498BDB08CFAAC5806AEFBF2FF89310F24D06AD519A7254D7348A418B64

Function 078FDB80 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f1aa93e80df57a2e6b1faa0bdaa300f16a36879f2888be1445d6fd6ff5bf55
Instruction ID: 876f104c2cb4bb3f2c8d18cdb4013125e6e8e1b04f9354d16351a414e87290ed
Opcode Fuzzy Hash: 44f1aa93e80df57a2e6b1faa0bdaa300f16a36879f2888be1445d6fd6ff5bf55
Instruction Fuzzy Hash: 33B1F6B1E1520DDFCB18CFA6D58459EFBB2BF99310F20942AD215EB254DB349A06CF60

Function 078FDB70 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8564d7a8dae67c306ef71273a7fd849cf6754d87785042f7f5ca1a93511c85
Instruction ID: 600a171a2751be5e3d4678c27fef774afa894ba3e67efe81eb46e44d68736567
Opcode Fuzzy Hash: 8f8564d7a8dae67c306ef71273a7fd849cf6754d87785042f7f5ca1a93511c85
Instruction Fuzzy Hash: 72B117B1E152099FCB18CFA6D58469EFBB2BF99310F20942AD215EB254DB349A02CF50

Function 078F55E8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210fc493617787af8afab22f244c9f1467aa0429b250d0aea890993496897bc
Instruction ID: a58d323bf839aabd9e5c5e4d9be726fe6ff80761185b968cfb76ff8f5adf9df2
Opcode Fuzzy Hash: f210fc493617787af8afab22f244c9f1467aa0429b250d0aea890993496897bc
Instruction Fuzzy Hash: 8B2124B1E016188BDB18CFABD8446DEBBB3BFC9310F14C06AD509A6264DB355A46CF90

Function 078F55DB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6615f4ec93e622f58876357c9cbac5ab99127b8fa8bfc13aa08c5461aac564
Instruction ID: 8dd4e283a90c0480ba47a9177b8d4f0927b36c16f0efc87f509d01ad2dcf343d
Opcode Fuzzy Hash: 8d6615f4ec93e622f58876357c9cbac5ab99127b8fa8bfc13aa08c5461aac564
Instruction Fuzzy Hash: 7521E7B1E006189BEB18CFABC94578EBFF3AFC9310F14C169D409A6258DB755946CF90

Function 055BD1C8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 055BD256
GetCurrentThread.KERNEL32 ref: 055BD293
GetCurrentProcess.KERNEL32 ref: 055BD2D0
GetCurrentThreadId.KERNEL32 ref: 055BD329

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e515477c776a949ca147a5bfda934f4b33b9980441f72c8152f9e55ccd563192
Instruction ID: 294e2a0cb8684851810c2b3bfc93cffe947f4b8b7a9bca92b32eafda18f11928
Opcode Fuzzy Hash: e515477c776a949ca147a5bfda934f4b33b9980441f72c8152f9e55ccd563192
Instruction Fuzzy Hash: B55176B09013498FEB14DFAAD549BEEBBF1FF88314F208459E019A72A0DB749845CF65

Function 055BD1D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 055BD256
GetCurrentThread.KERNEL32 ref: 055BD293
GetCurrentProcess.KERNEL32 ref: 055BD2D0
GetCurrentThreadId.KERNEL32 ref: 055BD329

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f2280cd868dac0fc9d262063c9cadefce7a5eea8e486f071799ce0e8ef286a99
Instruction ID: 6915e15053166afe4b1f4df8eb154bc92b8404d6f8b0e9e80dcb3616af623068
Opcode Fuzzy Hash: f2280cd868dac0fc9d262063c9cadefce7a5eea8e486f071799ce0e8ef286a99
Instruction Fuzzy Hash: F35155B09003498FEB14DFAAD549BDEBBF1FB88314F208419E019A72A0DB74A945CF65

Function 055BB20B Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 055BB47E

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: be67f0ff671d66415cca57f5abb87f0a44cc7c0f623b9dc1a99176cc80ce64a3
Instruction ID: c266d44249cfc45c88d8d1f65aaaf13505114f433c7d30fae57515c565794ed5
Opcode Fuzzy Hash: be67f0ff671d66415cca57f5abb87f0a44cc7c0f623b9dc1a99176cc80ce64a3
Instruction Fuzzy Hash: DA817C70A00B059FE724DF6AD4557AABBF1FF88310F00892ED486D7A50DBB5E845CB91

Function 055B449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 055B59A9

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 95b5fa99d104643c4bd0ef951615dc2285e048137186f8d7c01882fbfabeb409
Instruction ID: bedb602f87f32a727ee960656050c7c6a85ff2178d2422704854a253e21d3399
Opcode Fuzzy Hash: 95b5fa99d104643c4bd0ef951615dc2285e048137186f8d7c01882fbfabeb409
Instruction Fuzzy Hash: 1241C2B0C00719CBEB24DFA9C844BCDBBF5BF49304F208169D408AB251EBB56946CF90

Function 055B58ED Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 055B59A9

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 031f5f97bf90603ac881ddc6143a3c75227d90989f511c4f8f5170380511b48c
Instruction ID: 40d3c6c867abe7862e82f817385b8118df1c38fb20f242f0dc8e30827fc81bb7
Opcode Fuzzy Hash: 031f5f97bf90603ac881ddc6143a3c75227d90989f511c4f8f5170380511b48c
Instruction Fuzzy Hash: CA41D2B1C00719CBEB28DFA9C8847CDBBF1BF49304F20815AD409AB251EBB56946CF90

Function 055BD823 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055BD8AF

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 47ffd6411650f21813d3a16d4e13bd0fe7978a936f7b8d74cfefac40f6a1fa08
Instruction ID: 6bf77540af46269e56bfd58d7b784b740895536c85c2c1fb821c7868fee46a6d
Opcode Fuzzy Hash: 47ffd6411650f21813d3a16d4e13bd0fe7978a936f7b8d74cfefac40f6a1fa08
Instruction Fuzzy Hash: 3821E3B5D00248AFDB10CF9AD885ADEBBF9FB48310F14801AE914A7350D375A944CFA5

Function 055BD828 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055BD8AF

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c6d2f607a1951e696e1046e73fb0347c1d3a694cf7a682e565d8134e1e358b1b
Instruction ID: 492de5405ab64c6cb24ba735df2e6266547d9c91533d579707948a8e24e32e13
Opcode Fuzzy Hash: c6d2f607a1951e696e1046e73fb0347c1d3a694cf7a682e565d8134e1e358b1b
Instruction Fuzzy Hash: EA21E4B5D002489FDB10CF9AD884ADEBBF9FB48310F14801AE914A7350D375A944CFA5

Function 078FB468 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 078FB4E3

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0e8ff362e8ec7545dfe05a23dc510428ec78776e41e2647c6acde1369ce0392b
Instruction ID: 50cda4cb038deff74daaf5ed8083a237baaa82b284aba5c37a6015c50de67214
Opcode Fuzzy Hash: 0e8ff362e8ec7545dfe05a23dc510428ec78776e41e2647c6acde1369ce0392b
Instruction Fuzzy Hash: DD2136B5C003499FCB20DF9AC885BDEFBF4EB48320F108429E928A3240D778A545CFA1

Function 055BB4B0 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 055BB47E

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72ac06195d7b10db07408a3704165112315111da02218e0e034845efa39ce5ce
Instruction ID: 092a34340e7deac1399bd97f504b491970996a3883049c83ccb3e7499a3273ef
Opcode Fuzzy Hash: 72ac06195d7b10db07408a3704165112315111da02218e0e034845efa39ce5ce
Instruction Fuzzy Hash: E7118275A002059FE710DF6AE8087EAB7FAFBC4320F14847AD519D3250DAB998058BA1

Function 078FB470 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 078FB4E3

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cb4643c316a06329c766d347f7ffe8f0893d2cd76a62b62613ea104a66640504
Instruction ID: 5f10de0c14dff38a9b894cd3ce9da3f1d8968cc2dbe53013d52830f4c5ba7e67
Opcode Fuzzy Hash: cb4643c316a06329c766d347f7ffe8f0893d2cd76a62b62613ea104a66640504
Instruction Fuzzy Hash: 742106B5D002499FCB10DF9AC544BDEFBF4EB48320F108429E958A7250D778A544CFA1

Function 055BB418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 055BB47E

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ca0f2e3471d88d2b67416d9823101c29039b7792223c20d3bcafa4cea04b046
Instruction ID: 1efd824a24ce19298116a5b0926bb3bcaa771d781ae7aaa440ea4970823fbdee
Opcode Fuzzy Hash: 3ca0f2e3471d88d2b67416d9823101c29039b7792223c20d3bcafa4cea04b046
Instruction Fuzzy Hash: 9C11D2B5C003498FDB20DF9AC444ADEFBF5FB48224F10841AD429A7610C3B9A545CFA5

Function 0150D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1242760262.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f789de9c893b7cbf90509769671f65de029ff5eb8657a4e86825ec6ccc02356
Instruction ID: 6a40daccd61b9a37ef34c768116f7d1615818c75223aecb88e365a7644a2c7c9
Opcode Fuzzy Hash: 1f789de9c893b7cbf90509769671f65de029ff5eb8657a4e86825ec6ccc02356
Instruction Fuzzy Hash: C421B071504240DFDB16DFD4D9C0B2ABFB5FB88328F248569ED090E296C336D456CAA2

Function 0151D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1242836692.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442e184bd829e76db2abb0b0b5f4f0e4cfd374dc3ff6805a6fdaa82a642b3d34
Instruction ID: 6884bebb89e499a112abf47bf23bb9418e423a7d1b7a5aa2f9e197919064207d
Opcode Fuzzy Hash: 442e184bd829e76db2abb0b0b5f4f0e4cfd374dc3ff6805a6fdaa82a642b3d34
Instruction Fuzzy Hash: 91210771604300DFEB16DF94D9C8B55BBB5FB84324F20CA6DD8694F25AC33AD446CA61

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1242836692.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f50400d096053d8ae5cfaa868e695b98a61dfb9c18841aac6ce33701af5d64
Instruction ID: 5635d31aa224ab32a895a66c69e49d21c8e99af2bba3c12b70f2323c1a79cd94
Opcode Fuzzy Hash: 52f50400d096053d8ae5cfaa868e695b98a61dfb9c18841aac6ce33701af5d64
Instruction Fuzzy Hash: 2321D375604204DFEB16DF54D9C8B16BBB5FB84314F20C96DD8494F24AD33AD847CA62

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1242836692.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633a973b0392aea5afd143805043def8c787567dd228b4e7d6dda905a1c357e6
Instruction ID: dd9e7ddde0cdd142a12787ffe1076cc9c0a60527dac2d72d12c1f876f189ffca
Opcode Fuzzy Hash: 633a973b0392aea5afd143805043def8c787567dd228b4e7d6dda905a1c357e6
Instruction Fuzzy Hash: 02218E755093808FDB07CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62

Function 0150D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1242760262.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 7e8c7e255647ac96b4c0747a319657b501abe8029fa81eadc922e705483a1bd3
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: CE119D76504280CFCB16CF94D5C4B1ABF72FB88324F2486A9DC490B696C33AD45ACBA1

Function 0151D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1242836692.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: cda9c198e29f4b0ee8961ede6d23068f62074231e70b4c8388b0cb37972f38e6
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 5611BB75504280DFDB06DF58C5C4B59BBB2FB84324F24C6ADD8594F69AC33AD40ACB61

Non-executed Functions

Function 078FE130 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 078FE308

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: a4f4ec2e77da67d6f22b9b06d3aee9820a45995a9b5f098fe60e6b2490069db2
Instruction ID: 8c5c63e6fbc2b2aa152d15ac467a6b91a34e34e2170110dc64427f1ba7f2b273
Opcode Fuzzy Hash: a4f4ec2e77da67d6f22b9b06d3aee9820a45995a9b5f098fe60e6b2490069db2
Instruction Fuzzy Hash: 46D101B0E1461DDBCB18CFAAC98059EFBF6BF99340F14D52AD419EB268D73099428F50

Function 078FE120 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

{#L, xrefs: 078FE308

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 9997b020d0c6a8bede4ea4dffb971e382e56e464c4c7db5a0c35680ceea64d06
Instruction ID: 9e7eaa60be03abdb46c0ef2e5b7435af7b57ae80edf9a00168a30999a20beaec
Opcode Fuzzy Hash: 9997b020d0c6a8bede4ea4dffb971e382e56e464c4c7db5a0c35680ceea64d06
Instruction Fuzzy Hash: 4AD111B0E1461DDBCB08CFAAC98059EFBF6BF89240F14D56AD419EB268D73099428F50

Function 078F5048 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

98R, xrefs: 078F51A3

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: 0a22a1e7205166ff0725931e9722d95115d4572f731c98ed29d9ab564266f709
Instruction ID: 19b42c1a7428748dd61872fbaec35b1ad1fe180b0cb47667dc2729dc6ddfa8e7
Opcode Fuzzy Hash: 0a22a1e7205166ff0725931e9722d95115d4572f731c98ed29d9ab564266f709
Instruction Fuzzy Hash: A07123B5E1120ADFCB04CFA9D4819AEFBB1FB99350F10852AD515EB314D334AA92CF94

Function 078F5047 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

98R, xrefs: 078F51A3

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: d654c840aa9e650b0bf009f62864e84ba0f394e0501c5f9b3c5e9e3b99d04dda
Instruction ID: 8b10827d0d52a7a3c9a3a0cab16c8125f9cfff59e3dd33d6a8f650893547ee51
Opcode Fuzzy Hash: d654c840aa9e650b0bf009f62864e84ba0f394e0501c5f9b3c5e9e3b99d04dda
Instruction Fuzzy Hash: CB6125B5E1020ADFCB04CFA9D4819AEFBB2FB99350F10852AD515EB314D334AA52CF90

Function 078FC250 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 078FC366

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 1a14d9d6071b44dd752c50af76b09f24c1f49cd14642f57e6c2fb646a5979c8b
Instruction ID: e72778482d0d8362cd9c0430894993ba0bb138dbbe7268561684ceccfe856df8
Opcode Fuzzy Hash: 1a14d9d6071b44dd752c50af76b09f24c1f49cd14642f57e6c2fb646a5979c8b
Instruction Fuzzy Hash: 445101B5E1121D9BCB08CFEAD8455AEBBB2FF89310F10942AE505FB254EB345A41CB64

Function 078FC241 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

iUfo, xrefs: 078FC366

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 35626fdf0576e4e3c3799f665bed0dc270ae49ee3b10f1b23e4c9a34d99cee46
Instruction ID: d8ac50d542b807a79dac8c0dbff6e62a2731ff184677dfe9745e6e03d7d3888a
Opcode Fuzzy Hash: 35626fdf0576e4e3c3799f665bed0dc270ae49ee3b10f1b23e4c9a34d99cee46
Instruction Fuzzy Hash: 8A51F1B5E1121D9BCB08CFE9D9456ADBBF2FF89310F10942AE505F7254EB345A018B64

Function 078FC820 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

w7e^, xrefs: 078FC77D

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: acf94a3f7b167ab4c3b82c02568562053fdb5720e6f23eef84e911382b9271cd
Instruction ID: 7ccfe31dd0209b23a45b2baf7149f5ab059180bddac0c199079c26ced8d80c7d
Opcode Fuzzy Hash: acf94a3f7b167ab4c3b82c02568562053fdb5720e6f23eef84e911382b9271cd
Instruction Fuzzy Hash: A55134B4D1520EDFCB44CFAAC8415EEBBB2FB99200F24956AC516F7244D3389B058F68

Function 078FC648 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 078FC77D

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: f69719e7f0b66af4b4d7dd472029e6b486c51d00634df6a3efc8fc4fe24e921d
Instruction ID: 3eb9711a30a6e5dc0b3ee8a010b3140321967e13f24bec601c594015c2323e92
Opcode Fuzzy Hash: f69719e7f0b66af4b4d7dd472029e6b486c51d00634df6a3efc8fc4fe24e921d
Instruction Fuzzy Hash: C94135B4D1521DDBCF44CFAAC8406EEFBB1FB8A200F14A52AC516BB254D3385646CF68

Function 078FC638 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

w7e^, xrefs: 078FC77D

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: e4c915655cc44b6147375529f8e3ec72ec744134cc2dcf9757f2a141f259e4f1
Instruction ID: 0787370886a040f09c6334ebae0499e7111a46b51bb3cbb3abf4dd30f660b1ff
Opcode Fuzzy Hash: e4c915655cc44b6147375529f8e3ec72ec744134cc2dcf9757f2a141f259e4f1
Instruction Fuzzy Hash: 6C4154B0D1520EDBCB48CFAAC8412EEFBB1FB89200F14A52AC102B7254D73856468F68

Function 078F8BB8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 078F8D23

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 53d9bc3eb8b31bf3af20209fe311d2bea8b43218c386ca7f3a45ef187f5415f5
Instruction ID: 35646a755e5fca7342d82cdcc8e8798cad1d9f87353d1fc7c2720fac2cd9b9be
Opcode Fuzzy Hash: 53d9bc3eb8b31bf3af20209fe311d2bea8b43218c386ca7f3a45ef187f5415f5
Instruction Fuzzy Hash: 9B516BB1E146188BDB68DF6B8D4579EFBF3AFC8200F14C1BA950CA6214DB301A858F51

Function 078F8BB7 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

0ni, xrefs: 078F8D23

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 15a3e1fda8cd0423afb7ec4540baeb202a40ceb4c2c86c0efa0561c049061f1c
Instruction ID: 7c5b84665cb23d9b5f83468112c87c8efea50b0e0f8093971f89655122ca79af
Opcode Fuzzy Hash: 15a3e1fda8cd0423afb7ec4540baeb202a40ceb4c2c86c0efa0561c049061f1c
Instruction Fuzzy Hash: C6412AB1E156188BEB58DF6B8D4579AFBF3AFC8200F14C1BA950CA6264DB301A858F51

Function 055BD74C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1247728749.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55b0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483f279f81edde03b740908afeea23f95be281275f32a54743e04666dd20afba
Instruction ID: 4c06a086c52732ab9e8ce0ff3d7f18bbcd32608213ea7ec97a654f830225b82b
Opcode Fuzzy Hash: 483f279f81edde03b740908afeea23f95be281275f32a54743e04666dd20afba
Instruction Fuzzy Hash: E5A18436F0020A9FDF15DFB4C9485EEB7B2FF85300B1585AAE805AB261DB71E955CB80

Function 078F7338 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474fa28651ed00f19cf20a88bedb2fbc71d601b9d1b4021c4a1d77981ced90a8
Instruction ID: e8b07f245e67c6f122133ca896b9636200178ffd800be5da2025a20ff81dc37a
Opcode Fuzzy Hash: 474fa28651ed00f19cf20a88bedb2fbc71d601b9d1b4021c4a1d77981ced90a8
Instruction Fuzzy Hash: 779100B0A1421ADFDB04CFA9C98499EFBF2FF99314F649569D505EB220D330AA41CF90

Function 078F7331 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deed60ce3c79b6c0a89ea7227172b01ea3c9bcf42461c7c99953c00bfe7cb279
Instruction ID: 038a3ca8ad136fa8649cc22bfc776b5f60370bca943f532c89121e32274482d7
Opcode Fuzzy Hash: deed60ce3c79b6c0a89ea7227172b01ea3c9bcf42461c7c99953c00bfe7cb279
Instruction Fuzzy Hash: 1C8102B4A2421ADFDB04CF99C98499EFBF2FF99314F648569D505EB220D330AA41CB91

Function 078FCA08 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4991d31f7ef727e7d2bfe5e94776b2e606ba8e5278701cbddc3fafe42bbc018f
Instruction ID: 4a02ea51722fdfa03eeec24d38fde9dac04bc948240b8a0075735b06a2b0b3a1
Opcode Fuzzy Hash: 4991d31f7ef727e7d2bfe5e94776b2e606ba8e5278701cbddc3fafe42bbc018f
Instruction Fuzzy Hash: 7A8129B4E10219CBDB54DF69C580AAEFBB6FF89300F2481AAD508A7255D734AE41CF61

Function 078F8739 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2b4bad9cd33d17914b3a6166dd4afd5c0c0c9d0e48b28454f2ca1dfcf54e92
Instruction ID: c3e32820fd79e2544d4aa8a73f5f78f90a46d1aca2f78499a37d3547f7b166bc
Opcode Fuzzy Hash: be2b4bad9cd33d17914b3a6166dd4afd5c0c0c9d0e48b28454f2ca1dfcf54e92
Instruction Fuzzy Hash: F47119B4E256098FCB04CFA9C981ADEFBF2FF99210F24942AD505F7364D3349A418B64

Function 078F8748 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d09b9276c7859c5e7da28ec4ebae9cd3f7fbd3dde0480e4899804b1135a9c6
Instruction ID: a8d46c75ae25e821d141b16f3c1ae96062711a26bd3ebbd75a9b30920dee6d68
Opcode Fuzzy Hash: e7d09b9276c7859c5e7da28ec4ebae9cd3f7fbd3dde0480e4899804b1135a9c6
Instruction Fuzzy Hash: F971D6B4E25609CFCB04CFA9C9809DEFBF2FF99210F24942AD515F7264D7349A818B64

Function 078FCA07 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c327e79c463a0c48b396b107bfd5e8e84a4ae5c0740d1aefc3fb73f9e54c835
Instruction ID: ce2b17ee4efa47c0a86ea4a791c135c046737c6bb2e41b4a3a260f1b2d748272
Opcode Fuzzy Hash: 3c327e79c463a0c48b396b107bfd5e8e84a4ae5c0740d1aefc3fb73f9e54c835
Instruction Fuzzy Hash: 68812AB4D10219CBDB54DF69C5806AEFBB6BF89300F24C1A9D408A7355D734AE41CF61

Function 078F89D8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac4e8a096aa377dd12f2a53952600c68f541db06e508aa3c78799d5d454c74a
Instruction ID: b1fa7789c5fa30999300ff7946f4eceb0d1968d0e1053c0de6e0d07a4d94b21c
Opcode Fuzzy Hash: 3ac4e8a096aa377dd12f2a53952600c68f541db06e508aa3c78799d5d454c74a
Instruction Fuzzy Hash: FD41D4B0E1520ADBCB44CFAAC5816AEFBF2FF99300F24D56AC505F7214D7349A418BA5

Function 078FBF10 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993d8d0a5dd2667d75d88922dd057c03b3182e06499d89057f333eb1fd30a206
Instruction ID: f3f51f336ce4856bc875f04057944744efc7f77c943ee320c87b61072c6ded53
Opcode Fuzzy Hash: 993d8d0a5dd2667d75d88922dd057c03b3182e06499d89057f333eb1fd30a206
Instruction Fuzzy Hash: 024117B0E1520EDFCB44CFA6C5416AEFBF2EB99304F20946A8119F7264E3749B418F94

Function 078FBF00 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f5d50705d71622ee49e3ae8127340a3b2fe515d89f0b6263354c0cc4e8dedd
Instruction ID: 99fb3d8dbdff300312a1bc731f67f4c6b3699d04c9c59927e01e9d4f695eee0a
Opcode Fuzzy Hash: c8f5d50705d71622ee49e3ae8127340a3b2fe515d89f0b6263354c0cc4e8dedd
Instruction Fuzzy Hash: 674128B1E1560ADFCB04CFA5C5416AEFBB2EF99304F24956AC119E7264E3748B018B94

Function 078F8530 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b203c9dde0d4b23e8a60721332c6896fa28aed9f6e681109438ea848aaa8fc2
Instruction ID: b5a33a3ee0614c9fbc29cfdb03b28ff6c0133c54102d9a03ab4d53860ee6a4d0
Opcode Fuzzy Hash: 0b203c9dde0d4b23e8a60721332c6896fa28aed9f6e681109438ea848aaa8fc2
Instruction Fuzzy Hash: 4B41F5B4E0420A9FCB48CFAAC4816AEFBF2BF99300F14C42AD515F7254D7349A428F94

Function 078F89D7 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cc128251ddbf1f7175f679b04614ae30fc0d4e083a2f078e1b204acb2efe4c
Instruction ID: c34b47280077eefe649790711cecdc98fb7653932413dadb5ce51703c4421b91
Opcode Fuzzy Hash: 55cc128251ddbf1f7175f679b04614ae30fc0d4e083a2f078e1b204acb2efe4c
Instruction Fuzzy Hash: BC4136B0E1520ADBCB04CFAAC5819AEFBF2FF99310F24D56AC505E7254D7309A41CBA5

Function 078F8540 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949f13322801d7bb402d36b4ebf92af63f3527b73a3e195665aeefae29245d1d
Instruction ID: 63b76ce32410e761a738dd05d89ae3bb9f9016eee001ae3b2ddebae6e752a7b2
Opcode Fuzzy Hash: 949f13322801d7bb402d36b4ebf92af63f3527b73a3e195665aeefae29245d1d
Instruction Fuzzy Hash: 8741C1B0E0520ADFCB48CFAAC4856AEFBF2BB99300F14C46AD515F7254D7349A418F94

Function 078F3793 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b54a4850ffa7259e96d34139e2810f3bbe813850ccc2072e8ec05a9b4fe783
Instruction ID: 0d1f4df7ced0e5b0ddc84ea084af4663f17b9d895a73ebd2407c3fb73ff4769a
Opcode Fuzzy Hash: b9b54a4850ffa7259e96d34139e2810f3bbe813850ccc2072e8ec05a9b4fe783
Instruction Fuzzy Hash: 3721FCB2E006189BEB18CFABDC4179EFBF3AFC8200F08C076C518A6254EB3415528F51

Function 078F37A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1249457105.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6fb2522c157d3922f27036f3d93f77e1115e98f0dad6e3cfd3ac203416bdd0
Instruction ID: 62392d6f601409615da18f4ab2cee5585cf9b8747109ca0786fb556b0f37aafd
Opcode Fuzzy Hash: ae6fb2522c157d3922f27036f3d93f77e1115e98f0dad6e3cfd3ac203416bdd0
Instruction Fuzzy Hash: 9F11BCB1E106189BEB18CFABDC4069EFBF7AFC9200F14C17AC91CA6254EB7406558F55

Analysis Process: FylY1FW6fl.exePID: 6152, Parent PID: 1408COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 0298C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0298F910

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 39be0a4f0b3f2dd4331bd8fb9c13ce153fb607efa24c4390bb452488e37e9f87
Instruction ID: 7632ecb4ba2bea7ce65df21eabb1c01002a2bebbabcf8874ac0be49e37626288
Opcode Fuzzy Hash: 39be0a4f0b3f2dd4331bd8fb9c13ce153fb607efa24c4390bb452488e37e9f87
Instruction Fuzzy Hash: EF73F531C1075A8EDB11EF68C854A99FBB1FF99300F15D69AE44877261EB70AAC4CF81

Function 056360D8 Relevance: .7, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f565239a2fcf1519b061e05a85598a195c1367f725a36a52f9279f66190831d5
Instruction ID: 9283d1c1a6b3f47a7eae92d1d3367fd8c275cb19f3dc3ef3ac81be05518de45c
Opcode Fuzzy Hash: f565239a2fcf1519b061e05a85598a195c1367f725a36a52f9279f66190831d5
Instruction Fuzzy Hash: 7D72BC74E052289FDB64DF69C985BE9BBB2BF49300F1481EAD409A7355DB30AE81CF50

Function 02989480 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4520f426ab0b000ccbb7d428827069490f99197dfa96b28e966682bbe9b8f3
Instruction ID: a8825bdf67343c91716bdc4dff2fdf0c7ba3105d3251fceafb351a52687b3bfc
Opcode Fuzzy Hash: 8b4520f426ab0b000ccbb7d428827069490f99197dfa96b28e966682bbe9b8f3
Instruction Fuzzy Hash: 39C1A174E01218CFEB14DFA5D954BADBBB2FF88301F1481A9D809A7394DB359A85CF50

Function 0298C521 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05fcce780f90402063b5b0919fa23d92b9fdfdf2836dae35b1760e076970a14
Instruction ID: d178da65e2a413ef813e31331baf811f35f2210c46afb6b19a4f4bbc97634be6
Opcode Fuzzy Hash: a05fcce780f90402063b5b0919fa23d92b9fdfdf2836dae35b1760e076970a14
Instruction Fuzzy Hash: 12A11571D106198FDB14EFA9C8847DDFBB1EF89300F14C6AAE448A7260EB709A85CF51

Function 02989A30 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195cb340540cdb8c95b70f34dff8fd9f8fcb76b8f712e16582886d8851399e17
Instruction ID: 600166aac8d7e3603ee79641fd628d5cae9c0d535c1cb3107ebfd6c8494cfb50
Opcode Fuzzy Hash: 195cb340540cdb8c95b70f34dff8fd9f8fcb76b8f712e16582886d8851399e17
Instruction Fuzzy Hash: 0EA1F670D00208CFEB14DFA9C958BADBBB1FF89314F248269E409AB391DB759985CF54

Function 02989A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46db68bacd06b0c48cadae4231ad44a3c22dbae54701ff0f97c67830fcce8e
Instruction ID: 12b2dcfbc9f89dc11dd7036891f1ccc433f46f1967307681f3fd48ef3e02e1bb
Opcode Fuzzy Hash: bc46db68bacd06b0c48cadae4231ad44a3c22dbae54701ff0f97c67830fcce8e
Instruction Fuzzy Hash: 6AA10770D00208CFEB14DFA9C958BADBBB1FF88314F248269E409AB391DB759985CF54

Function 02989D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d67cfa79214b9dad10f797d01b3b9436dbdbb2fe4b028b0e0ebf9edd0fb894b
Instruction ID: 3bc7b9f627998cccf11b6c46a7f21d8c67326bc33a181905a73dc931889c2082
Opcode Fuzzy Hash: 7d67cfa79214b9dad10f797d01b3b9436dbdbb2fe4b028b0e0ebf9edd0fb894b
Instruction Fuzzy Hash: C691E174D00208CFEB10DFA8D988BACBBB1FF49314F248269E409AB391DB759985CF54

Function 0298946F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a195dbbdd9ceebe6f03a090e366ca36515b364c61f9373ec11429512d5452198
Instruction ID: d0152b1d53b524fe4c8958f47961ecf7ca3746b1653c11425270f7414f3005a4
Opcode Fuzzy Hash: a195dbbdd9ceebe6f03a090e366ca36515b364c61f9373ec11429512d5452198
Instruction Fuzzy Hash: 0541D475D01248CBEB18DFAAD8547ADFBF2AF88300F24C12AD815AB358DB345945CF54

Function 0298AD3D Relevance: 1.7, Strings: 1, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0298B015

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: da667b82bc35a0b2453c703434e92945dd4851e7f1a92d2abbff09347fab43c8
Instruction ID: 56077c0200176f25111fd715b16ff6fa2d046acfc6134f74b05941ef7359a382
Opcode Fuzzy Hash: da667b82bc35a0b2453c703434e92945dd4851e7f1a92d2abbff09347fab43c8
Instruction Fuzzy Hash: 8C610430B046008FDB196F74A86937E7BA6AFC5324F188519E516DB3D1DF388C02C7A5

Function 0563A4C0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0563A54F

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e75f9c6f89e0723b447b1f34f48ab86ac7499299a9f35df70102453cf4c77d4b
Instruction ID: de5997d959da24d406bcf688f2e254c457254aa532c61ac1e9f040cce783dd0b
Opcode Fuzzy Hash: e75f9c6f89e0723b447b1f34f48ab86ac7499299a9f35df70102453cf4c77d4b
Instruction Fuzzy Hash: 8021F4B5C002489FDB10CFAAD984ADEBFF4EB48320F14811AE968A7350C375A941CF60

Function 0563A4C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0563A54F

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a6ed2e263412140a4531f96e2081a662cfcefc8e467918ad1b4a87f0746c89df
Instruction ID: cf06e9d37a7a52aa71beebb716ec7e58a6d6736d17b9fd59199a01720ebfd4e7
Opcode Fuzzy Hash: a6ed2e263412140a4531f96e2081a662cfcefc8e467918ad1b4a87f0746c89df
Instruction Fuzzy Hash: 5C21E3B5D002089FDB10CF9AD985ADEBBF4FB48320F14801AE958A3350D379A940DF60

Function 0298AF78 Relevance: 1.5, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0298B065

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f21291bfaf3eacb26970d91e4d792c42e7f4d17c1e9eeb4c2611b9737653abdb
Instruction ID: 868bcd3b490ce8c2830d6aadd5bfe5d4bd1ab652053aeb7495c18d7ad34b63c6
Opcode Fuzzy Hash: f21291bfaf3eacb26970d91e4d792c42e7f4d17c1e9eeb4c2611b9737653abdb
Instruction Fuzzy Hash: 1C81F430B006048FDB256F74A86937D7AA6AFC5328F688619E526DB3D0CF358D02C7A5

Function 029819B8 Relevance: .7, Instructions: 730
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57fa0ba86849a852ba81a57909d9eb28fe2763da548749dc2948d8866f6424b
Instruction ID: 3f996bf68c9e194ded1f584b295cc7d29de759d959ef9b5159da6c8da0784c45
Opcode Fuzzy Hash: a57fa0ba86849a852ba81a57909d9eb28fe2763da548749dc2948d8866f6424b
Instruction Fuzzy Hash: 63425E226192C9DFE7234B7058763E4BFF19E8705172E88DEC6C42B817E12A292FD711

Function 0298B500 Relevance: .4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84550f8b1cf7c03ca6ac41ab93c2d4dd20a8279749b3f6f8538272306b764d2
Instruction ID: d98081d5ef39871cf3f3fe6032b2936f4a96fb2e56513171f8be28aace16e887
Opcode Fuzzy Hash: a84550f8b1cf7c03ca6ac41ab93c2d4dd20a8279749b3f6f8538272306b764d2
Instruction Fuzzy Hash: F7D1C431B042048FDB14EB68C865BAE7BB6AF89324F1C4559E506EB3A1DB35DC42CB91

Function 0298BF80 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f9e6aa04eb3b645c33b144fecfbbdc9cbf5f87cb0aae6e7b9fb28592a8fc9c
Instruction ID: 7c191e78c5c5c0375247279aabaf18ed87bc6415dcc43086a0e5ca475a4263a6
Opcode Fuzzy Hash: 83f9e6aa04eb3b645c33b144fecfbbdc9cbf5f87cb0aae6e7b9fb28592a8fc9c
Instruction Fuzzy Hash: 2B61B676B002059FCB18AFBDD884A6ABBB9EFC9364B18852BE419D7740D731D80187B0

Function 02980B20 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3563795c4a9c7c1ffae6bb034e6f6d7a8265b9055f9cae91fbe88db8b28e3175
Instruction ID: 56c852dd987f4c170aade2b2ad2bbfb2e694e10a58ff12a962d21579291b18b4
Opcode Fuzzy Hash: 3563795c4a9c7c1ffae6bb034e6f6d7a8265b9055f9cae91fbe88db8b28e3175
Instruction Fuzzy Hash: 66A1BA78E01359CFCF15EFA8E994A9DBBB1FF84301B104529D416AB369DB306916CF81

Function 02980B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cb49b25c7a9d245af693855280f0492ce520f8b9a6148420fcfc0a8a1ccb4d
Instruction ID: 08f7fd06005b23fff9c557d7f39e9248da129296e40d8913e66633ea2f5a0ba9
Opcode Fuzzy Hash: 31cb49b25c7a9d245af693855280f0492ce520f8b9a6148420fcfc0a8a1ccb4d
Instruction Fuzzy Hash: AAA1BA78E01319CFDF15EFA8E994A9DBBB1FF88301B104529D416AB359DB306916CF81

Function 0298BC28 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc4a0a6f83dd4a98c43daaee31197646ccc2a7150f57ef8be95fc39040dcb01
Instruction ID: fdaf226b850d1a74cfd171295dbb419f5519b698c868cb4b44bbceacbbcd2667
Opcode Fuzzy Hash: cdc4a0a6f83dd4a98c43daaee31197646ccc2a7150f57ef8be95fc39040dcb01
Instruction Fuzzy Hash: 4A41D331B002049FCB18ABB8DC6566E7FBAEFC9204F58447AE509D7391DE349D02CBA1

Function 02983F78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59fc1626ac6f6c3ccf56277737327ad730388b0f706c774a4d95b0d269f2cc6
Instruction ID: ed85f8cd217c620848c44b77980f4dea3daffb42b74a3d5b96f0bc351bf5f47e
Opcode Fuzzy Hash: f59fc1626ac6f6c3ccf56277737327ad730388b0f706c774a4d95b0d269f2cc6
Instruction Fuzzy Hash: 6451C574E00208DFDB58DFA9D884A9EBBF2BF89310F149569E815BB364DB309846CF10

Function 02982C78 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e636411d6f39891f507fa3082fa092b12df1c571d1c53b85d496f9bca6601a68
Instruction ID: ff71c601c5c08b35772ab675dca4debd3a632eb8db48d31d7c4a057e752bee26
Opcode Fuzzy Hash: e636411d6f39891f507fa3082fa092b12df1c571d1c53b85d496f9bca6601a68
Instruction Fuzzy Hash: 4131C375F043A48BEF2867659C9437A6AAABFC4205F1C443BED07D7380EB74C845C2A1

Function 02983168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd9b81dfec3407f35897b160f47500e647c9885c96ddf2bd50407667228363b
Instruction ID: af3e9239ad6db8e42330dac308f0687a0bb5577b603ca0da685799bc4524d043
Opcode Fuzzy Hash: fdd9b81dfec3407f35897b160f47500e647c9885c96ddf2bd50407667228363b
Instruction Fuzzy Hash: 1F41B374E01208DFDB08EFAAD484A9DBBB2BF89300F249529E415BB364DB349846CF14

Function 02989249 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4aa6a90b4dc7cabec753ae01a49881832938bd1da3c22dd44377d4f3289250
Instruction ID: 79c6ab9c6bfedcdc732cfef50fe7df8642240cb9dbb2b282a71a701c4f4e38a2
Opcode Fuzzy Hash: 0b4aa6a90b4dc7cabec753ae01a49881832938bd1da3c22dd44377d4f3289250
Instruction Fuzzy Hash: C031A93583328A8FD6402B21B5FE2BABEA4FF4F733B46AD04F14AC05958F3445848E64

Function 0298B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82ec8b487203e78f9f2bacacd249d85bae12244bd93f5c1154182e1562fe723
Instruction ID: b09d0a0b9dbef2c4d04949ff9d943e04b7c84bfe18138d08e190bdae23c555e3
Opcode Fuzzy Hash: d82ec8b487203e78f9f2bacacd249d85bae12244bd93f5c1154182e1562fe723
Instruction Fuzzy Hash: 8C313B35B002088FDB15EFA8C490E9DBBB6BF88224F595045E501EF361CB71EC86CBA1

Function 0298B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4664daac4bd9d9373b64a786ad6977594190277c2ece16f0b07a7efc09d1da2d
Instruction ID: 725634d2bf6929a864d20e3de24d8a1f0306e6cd0b6cb22b1aff137995430d4f
Opcode Fuzzy Hash: 4664daac4bd9d9373b64a786ad6977594190277c2ece16f0b07a7efc09d1da2d
Instruction Fuzzy Hash: 17313A35B002088FDB55EFA8C490E9DBBB6AF88324F595054E501EF361CB71EC86CBA1

Function 0298BDE8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9c67ddbfd2ab55f3fcf58409af804830e2a769efafe27cc84b01667c97cd1a
Instruction ID: 0ab6a91b334f4527c22bc13456e4e6cea5f922be8e917045ff4dcc24d0c20a43
Opcode Fuzzy Hash: 3b9c67ddbfd2ab55f3fcf58409af804830e2a769efafe27cc84b01667c97cd1a
Instruction Fuzzy Hash: 7C2173357042059FD714EF69C865B6EBBB6FF88214F288069E506C7361DA359D12CB90

Function 029818C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a497be31bbedfa5c1699b3b817310b782c5698fbd3684a6c137f764b8e0c427b
Instruction ID: cae7edd6d162ac6a6d2162df17fbb16b75d0fa2a6645710225cacbd97385aa31
Opcode Fuzzy Hash: a497be31bbedfa5c1699b3b817310b782c5698fbd3684a6c137f764b8e0c427b
Instruction Fuzzy Hash: 8E21A435A002049FCF14EF28D440AAE7BB5EB89360F54C519D81E9B344DB31EE06CBD1

Function 00F1D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2473840127.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f1d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19652e49d2db20ea77f631e4a55785f34aef3546cc738af648db559f1c435bc8
Instruction ID: 6f3a6987cff74c2880828c2d65c4527b896cf622ae89f9aafc6b4654c8ffb8ea
Opcode Fuzzy Hash: 19652e49d2db20ea77f631e4a55785f34aef3546cc738af648db559f1c435bc8
Instruction Fuzzy Hash: C9210775A04304DFDB14DF14D9C0B56BB75FB88324F24C66DD84A4B29AC336D887DA62

Function 00F1D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2473840127.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f1d000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfb889c319474fee29665f896e22a122a1dc89ed3d45a3ff590502d58918fc9
Instruction ID: 056c7b32f85ec11a0f467ed006686487cad23fb0d862a5091b3c5c9c329db9ce
Opcode Fuzzy Hash: 8bfb889c319474fee29665f896e22a122a1dc89ed3d45a3ff590502d58918fc9
Instruction Fuzzy Hash: 13215E7150D3C09FC707CB24D990711BF71AB46224F29C5DBD8898F2A7C23A984ADB62

Function 02980EC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8321c442ecbf6e1bb6a6a7307c07f3eaeb27bf483ce4133879e0111c989786e4
Instruction ID: 887f3676213d5e5c92a29a99d7bf60c03786f8faa1c74398e821bb6c17394b85
Opcode Fuzzy Hash: 8321c442ecbf6e1bb6a6a7307c07f3eaeb27bf483ce4133879e0111c989786e4
Instruction Fuzzy Hash: 9B219D74E052089FDB05EFB9C8106AEBBB6EF85308F14C5B994056B285CB745A4ADF41

Function 029817B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5f4aebb49f5b0d782e6c41f2fd8950b458486e26926c9f9258486bfa7b6b3f
Instruction ID: 6c98916eae1f41a428b9a8efdf9691a28ce12d1d6191d120bc72114c6d88ccf4
Opcode Fuzzy Hash: 6b5f4aebb49f5b0d782e6c41f2fd8950b458486e26926c9f9258486bfa7b6b3f
Instruction Fuzzy Hash: 8921E670D052498FCB05EFA8D9955EEBFB4FF4A200F04456AD406B7251EB305955CBA1

Function 0298BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436289edd3db6ec7d8e6143c57a673a775e297de429799e990771f54157b03b0
Instruction ID: fbf5788b4e668d5f7947daf1142d1938fef1dca403fbaa8d3f6a6b9533d70b43
Opcode Fuzzy Hash: 436289edd3db6ec7d8e6143c57a673a775e297de429799e990771f54157b03b0
Instruction Fuzzy Hash: 97116A36700604CFD714EB69E9A4F16B7EAEF88725B188479E14ACB364CB71EC01CB50

Function 02984850 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f52a4dc4909e3d734d1fbf92678ae558d530ed60c2e6a6432dd4abe97a4ffd2
Instruction ID: 231e0e59eb7f08672bcc7a780cda397be596c89992b85da97c2c8f8eb81bd46f
Opcode Fuzzy Hash: 1f52a4dc4909e3d734d1fbf92678ae558d530ed60c2e6a6432dd4abe97a4ffd2
Instruction Fuzzy Hash: F7019A32B053550BDB28AAB98C6462F7ADBAF88265319443ED906C7354EE24C80286A1

Function 02980FB8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedcc097661e54fae1af4abd457cac50c0602f278f02dadb8aaeeafcee5e8303
Instruction ID: 6d3ec33aa37cc255571aa6ba52edb4f027d2ae910ca3d571caa1ed47778e41c5
Opcode Fuzzy Hash: eedcc097661e54fae1af4abd457cac50c0602f278f02dadb8aaeeafcee5e8303
Instruction Fuzzy Hash: 1A11DF31A092458FDB35AA7580505E8BB75EF56205B08C6FAD8858B256DB35881ECB41

Function 0298BB37 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37a06b614a9d2fb9cc4dd888c7044fa838f5f1abfa710007ae782fe71318780
Instruction ID: f05c08ffec0ec35e189c419a2b1916ad2fa4418167a4d4a46b68409061cbecee
Opcode Fuzzy Hash: b37a06b614a9d2fb9cc4dd888c7044fa838f5f1abfa710007ae782fe71318780
Instruction Fuzzy Hash: D3115B317002008FD724AB29D968B56B7EAEF89729F18846DE149CB364CB71E845CB50

Function 02984860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f2085eeb09c4fe584f4a82aaed68cf7964d5d53f239a2d42d7b6565a9d492d
Instruction ID: 2733cc16de486b041f6079672b906f092f755f2d994c8f5b2934d5b4df4f11f0
Opcode Fuzzy Hash: 32f2085eeb09c4fe584f4a82aaed68cf7964d5d53f239a2d42d7b6565a9d492d
Instruction Fuzzy Hash: C6011D32F053554BDB28ABBA985463EBADFAFC8665314453ED906C7354FE70C8028791

Function 0298A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c12805545254c2652ff08dbd097167128e24bdcd654e980ce7b8e3b877fd92c
Instruction ID: dff509514e441055e01c83c3156c1ac8d7d27b81c5fbdadc2a9e883bc4c33293
Opcode Fuzzy Hash: 5c12805545254c2652ff08dbd097167128e24bdcd654e980ce7b8e3b877fd92c
Instruction Fuzzy Hash: 45014075E112099FCB14AF69E8596AE7FB5EF88320B40442AF91693280DF348D11CBA1

Function 0298A4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f11d78a9e3a015012d3065e470d62aa3a8905bb38c1b03d18a82c0d5cecb69
Instruction ID: b56f305c0c98a5f744f5a80642ca30c970e5e6cfb7768fdf085174ccce283c26
Opcode Fuzzy Hash: 58f11d78a9e3a015012d3065e470d62aa3a8905bb38c1b03d18a82c0d5cecb69
Instruction Fuzzy Hash: 32014475E111199FCB14DF68E8585AE7FB5FF88320B45413AF955D3280DB304910DFA1

Function 0298BEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beeabc6b3e35c4966200078bed889130fc4b43e7b25997f5cdaa332edc8a695a
Instruction ID: 8b1c89a7462233928bf03029ac5722fb115684ecb50aa09ebaea38d0a4ffe9db
Opcode Fuzzy Hash: beeabc6b3e35c4966200078bed889130fc4b43e7b25997f5cdaa332edc8a695a
Instruction Fuzzy Hash: BFF0FC32B143145BC7182674A81D66E7FDADFC9621B18442AF606C7391DF35CC42D7A4

Function 0298C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c35f8fc056977bf7a711df359a420c5d92c984cb769eb0981b538b34b4f010
Instruction ID: 09a6bac6b51b1c73a3d78719c6774a3ec57cc1f2a2d3c36a086b33791ec5c708
Opcode Fuzzy Hash: a7c35f8fc056977bf7a711df359a420c5d92c984cb769eb0981b538b34b4f010
Instruction Fuzzy Hash: 03F0A732B045115BC7196669F45496EB7AEDFC5735718007BE509D7350CF31DC028BA0

Function 0298B9EA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3d76ddf8d798af19151cf1aaf194e65bee85b3e715aec55d65bdf015ab2393
Instruction ID: 07d103ab7e569baa20844b4d66b21aa6647c0fb856f1c0d05f5fb452ad59417a
Opcode Fuzzy Hash: 7b3d76ddf8d798af19151cf1aaf194e65bee85b3e715aec55d65bdf015ab2393
Instruction Fuzzy Hash: 48F0BB75D00208AF8750DFA9D84099FFBF9FF88250744453AE545D3201E770A505CBE5

Function 0298B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abe15bf3039b494d536743808190ef3df9bbf42a45d4ec0d31ba822fcd2be47
Instruction ID: 843f42db119d77c2bda190115b552372d7826732ca2880238e51e2dd75bb6608
Opcode Fuzzy Hash: 0abe15bf3039b494d536743808190ef3df9bbf42a45d4ec0d31ba822fcd2be47
Instruction Fuzzy Hash: C4F08271E002089F8B60EFA9984099FBBF6FB88250B44453BE509D3201E770A915CBE1

Function 029846C9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2a2db4fdfb600ac4acb6a81604a0090c151b477f4f512db194480b865af7fc
Instruction ID: 276d5838555c2dc68a722896d1b35bf80059f79635bb863c60908bd525c2c3b1
Opcode Fuzzy Hash: cc2a2db4fdfb600ac4acb6a81604a0090c151b477f4f512db194480b865af7fc
Instruction Fuzzy Hash: 08E0C071015B4ACBD3102B24ECAD7BA7A66EF8B717F89AC10A00980061CB745050AA94

Function 029846D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d55cbe6e9ea52218b70f3a1ab4d6946d0c8e1c2171db746c0281842fea88ba2
Instruction ID: 9fb79e9eb38590ea1b6973adb88568082f72c15e372f8f8fe1ca4a57126d39d3
Opcode Fuzzy Hash: 3d55cbe6e9ea52218b70f3a1ab4d6946d0c8e1c2171db746c0281842fea88ba2
Instruction Fuzzy Hash: A1E09A71021B0ACBD2002B64A8AC2BA7A66EB8BB1BB86AC00A00E80070CF704444AA94

Function 02981877 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833aff9d9cca8523a0714eef8bb763aebe01799823df647ab4ad570046ff3c5a
Instruction ID: e97012a769054c09d47909eb6565e7b3a24666610fa07b7f86ec2bd87ee4ac5d
Opcode Fuzzy Hash: 833aff9d9cca8523a0714eef8bb763aebe01799823df647ab4ad570046ff3c5a
Instruction Fuzzy Hash: BAE02639E523258BCB02ABB59C000EDBB34AE862227588653C16437190EF30529FC7A0

Function 02981888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6777215c55487ee9e85b823c77d97d21e0d04c6dbdc1f17be4a5deb2aee9d8be
Instruction ID: 37566068d83185f0e4326393310b650fe23c4ddc421d9b9b98e4168d4d22c869
Opcode Fuzzy Hash: 6777215c55487ee9e85b823c77d97d21e0d04c6dbdc1f17be4a5deb2aee9d8be
Instruction Fuzzy Hash: 7AD05B31D2032A57CB10E7A5DC048DFFB38EED6321B904626D52437144FB706659C6E1

Function 02984831 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2474966096.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2980000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454fb8d224b16c6a2f0fdfd17df47aacf43bda7b949a330e78dc276bd610d485
Instruction ID: be72c9971c9eab947e8945d86c91fac2be687bb70c78d780ed1dfae127fd817f
Opcode Fuzzy Hash: 454fb8d224b16c6a2f0fdfd17df47aacf43bda7b949a330e78dc276bd610d485
Instruction Fuzzy Hash: 74B092A395538402EFAA0220893A3767B90AB62208F4908AD8843C0188E61880008250

Non-executed Functions

Function 056351E8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5r, xrefs: 05635303

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID: .5r
API String ID: 0-750816051
Opcode ID: 1c40586e76dce1b6b63ecbefd45ef9d647ac816ba96865e90f9c5c803f2fdc11
Instruction ID: d592665c20c1da0ef998c891b786acaf92307ae222aeeafd79990624c8c813fd
Opcode Fuzzy Hash: 1c40586e76dce1b6b63ecbefd45ef9d647ac816ba96865e90f9c5c803f2fdc11
Instruction Fuzzy Hash: 70529A74E01228CFDB64DF69C984B9DBBB2BB89301F1085EAD40AA7354DB319E81DF50

Function 056315F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8da8d610e735b01934101404cdc3e794913af55fc4044f6a602159076468ad
Instruction ID: 59478a7bb987f5dd459916cdd2a7f7b89d26670b7eb9175c8953cb011eb5dd9d
Opcode Fuzzy Hash: 7e8da8d610e735b01934101404cdc3e794913af55fc4044f6a602159076468ad
Instruction Fuzzy Hash: 1FC1A174E01218CFDB14DFA5D994B9DBBB2BF89300F1081A9D409AB395DB359E86CF50

Function 05633598 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3366eee136867c9386d78309122bfa74db7bd64e5758301b58380f0e66b402
Instruction ID: 6641547a5eb793d10519299d9ec743cdc0313261bb54d25bd1417bddda7e5d2b
Opcode Fuzzy Hash: 4b3366eee136867c9386d78309122bfa74db7bd64e5758301b58380f0e66b402
Instruction Fuzzy Hash: 8BC1AF74E01218CFDB14DFA5D994B9DBBB2BF89300F2085A9D409AB394DB359E86CF50

Function 05632438 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e24c3184f056fb26bd04c3d8bc77fcec72b3fcc1b33a862d072bac144add896
Instruction ID: 10721337a9de98eb4f6af26f294c309424260bfb28e43385bb8ae99c2ce3dc12
Opcode Fuzzy Hash: 0e24c3184f056fb26bd04c3d8bc77fcec72b3fcc1b33a862d072bac144add896
Instruction Fuzzy Hash: B2C1BF74E01218CFDB14DFA5D994B9DBBB2BF89300F2081A9D409AB394DB359E86CF50

Function 05630498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706b9f3857786bb8a57fb68353c91f884843b37cedea49dc47acd56af7b5b0f4
Instruction ID: 29fc96640171f136bbc26be8ea1551caaafb4eb3beb5583999633f667cf87805
Opcode Fuzzy Hash: 706b9f3857786bb8a57fb68353c91f884843b37cedea49dc47acd56af7b5b0f4
Instruction Fuzzy Hash: 79C1BF74E01218CFDB14DFA5D994B9DBBB2BF89300F2081A9D409AB394DB359E86CF50

Function 056346F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b87949a6ff095cc29e3592e8c6ff5a50386cfa96326272eb3f4e3ceefa09ccf
Instruction ID: 0a6e14e82a114194d9f8719dddd8a854ae04edbc5f5e405f43802561f8876d56
Opcode Fuzzy Hash: 6b87949a6ff095cc29e3592e8c6ff5a50386cfa96326272eb3f4e3ceefa09ccf
Instruction Fuzzy Hash: A0C1A074E01218CFDB14DFA5D994B9DBBB2BF89301F2081A9D409AB395DB359E82CF50

Function 05633140 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad859f99aad0504c57a8f17c057f88f44185d00feba0eb1f117f095f779396f9
Instruction ID: 3aa96ed3768b67b52f99184ab0142b3a465cbf16dbfca8c5d089c7555f104607
Opcode Fuzzy Hash: ad859f99aad0504c57a8f17c057f88f44185d00feba0eb1f117f095f779396f9
Instruction Fuzzy Hash: 2FC1AF74E01218CFDB14DFA9D994B9DBBB2BF89300F2081A9D409AB355DB359E86CF50

Function 056311A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a359a19b23f46735fafda6fee4bf719e00ad7226be5e196d35a8cf027bf61d
Instruction ID: 0d40d0ce06f47e1a2437412c2bf1f5e3670803654841a6982fa59cf7548f65e8
Opcode Fuzzy Hash: 62a359a19b23f46735fafda6fee4bf719e00ad7226be5e196d35a8cf027bf61d
Instruction Fuzzy Hash: DEC19F74E11218CFDB14DFA5D994B9DBBB2BF89300F2081A9D409AB355DB359E82CF50

Function 05630040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591affda2dca27597cfab2447d2e05f8b8e5fabc3eaf6b90a3f59d27f964637f
Instruction ID: 0e54e225cce2f518c478ee7f4dd31961ccb64a45f54af39a253662ab646688a7
Opcode Fuzzy Hash: 591affda2dca27597cfab2447d2e05f8b8e5fabc3eaf6b90a3f59d27f964637f
Instruction Fuzzy Hash: BAC1A074E01218CFDB24DFA5D994B9DBBB2BF89300F2081A9D409AB355DB359E86CF50

Function 056342A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eeaeda52a2fdf0457834d3aecde17d4feb0f78b3a96a37dea61cfd1240467eb
Instruction ID: 43ec47e1948d0d78d9478f8d4f8882226d0d661d19e9efd508ecdf5578e6bafb
Opcode Fuzzy Hash: 3eeaeda52a2fdf0457834d3aecde17d4feb0f78b3a96a37dea61cfd1240467eb
Instruction Fuzzy Hash: 56C1AE74E01218CFDB24DFA5D994B9DBBB2BF89301F2081A9D409AB355DB359E82CF50

Function 05630D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6143da82f4922f8838cb7319e2ebc1554173d556b61e9066466a6c65ee14f9b
Instruction ID: 090b853946d8a8c69f9b1af9d597656be9a9599b43e9186ac00ae5e086f0f84a
Opcode Fuzzy Hash: c6143da82f4922f8838cb7319e2ebc1554173d556b61e9066466a6c65ee14f9b
Instruction Fuzzy Hash: 08C1A074E01218CFDB14DFA5D994B9DBBB2BF89300F2081A9D809AB355DB359E86CF50

Function 05632CE8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d92d1157ad44e00830a1c59728dc4bebb815b378b0e787c42f240ccf8a171a2
Instruction ID: 5ccb363056d0d987cb60fff1c24a1f718b678d3a233b8097bc3b15ba49763e7b
Opcode Fuzzy Hash: 5d92d1157ad44e00830a1c59728dc4bebb815b378b0e787c42f240ccf8a171a2
Instruction Fuzzy Hash: 87C1AF74E11218CFDB14DFA5D994B9DBBB2BF89300F2081A9D409AB354DB359E86CF50

Function 05633E48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28b9e684235298c67e90413685effdac587ccf88f8e027aef1701dd4e15fa01
Instruction ID: 641830721aa88114e5d0339f47632f22dac1ab635dbf0dff1371cddffa368131
Opcode Fuzzy Hash: c28b9e684235298c67e90413685effdac587ccf88f8e027aef1701dd4e15fa01
Instruction Fuzzy Hash: F3C1A174E01218CFDB24DFA5D994B9DBBB2BF89300F2081A9D409AB355DB359E86CF50

Function 05631EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b99c88624067a3b9b68396ce667663df38e9f904919b56fc5cf7c32ba219304
Instruction ID: 195d228c78ae0ca90f2e533554a4c09046f6c687e903fbbdca26437d30e3c136
Opcode Fuzzy Hash: 8b99c88624067a3b9b68396ce667663df38e9f904919b56fc5cf7c32ba219304
Instruction Fuzzy Hash: E5C1A174E11218CFDB24DFA5D994B9DBBB2BF89300F2081A9D409AB354DB359E86CF50

Function 056339F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2be79f4f81125af44694a842e5e6116077ac37be5dd6bfb65d2ccdf2a6564ee
Instruction ID: 0faa7af1422a23a844f7578833a68488503a14be1a29e2e2c38576dd54a7edb8
Opcode Fuzzy Hash: d2be79f4f81125af44694a842e5e6116077ac37be5dd6bfb65d2ccdf2a6564ee
Instruction Fuzzy Hash: B5C1AE74E01218CFDB14DFA5D994B9DBBB2BF89300F2085A9D409AB394DB359E86CF50

Function 056308F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3060070dfd7696c3da2c2b1561e46d140a5ac97653e909165100982a276caf7
Instruction ID: e2c5fd1ae77e55e40677ff0c2bdcbd9b606d4f6bad12dcce580e47ea97629ef4
Opcode Fuzzy Hash: d3060070dfd7696c3da2c2b1561e46d140a5ac97653e909165100982a276caf7
Instruction Fuzzy Hash: CFC1A074E01218CFDB14DFA5D994B9DBBB2BF89300F2081A9D809AB355DB359E86CF50

Function 05632890 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aefcbf23990c2646195c9688ec7721635d0165da1f0018f47de71b3e7c20ffa
Instruction ID: 7f97d1332d39ef65f6eeebec80392d0abe077d7e91f787849944d5c7c9a8ca68
Opcode Fuzzy Hash: 5aefcbf23990c2646195c9688ec7721635d0165da1f0018f47de71b3e7c20ffa
Instruction Fuzzy Hash: 8AC1A074E01218CFDB24DFA5D994B9DBBB2BF89300F1081A9D409AB355DB359E82CF50

Function 05634B50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6507940cad45430114042ac2de2d7013bac735b5d980e0eb485354a29a613b0a
Instruction ID: cb7deddd03aa74d0503934baaeddbcb224664d17c32ef100c9bd491f7d5f6bd9
Opcode Fuzzy Hash: 6507940cad45430114042ac2de2d7013bac735b5d980e0eb485354a29a613b0a
Instruction Fuzzy Hash: 81C1AF74E01218CFDB14DFA5D994B9DBBB2BF89301F2081A9D409AB394DB359E82CF50

Function 05631A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e962e6de027c9467138723802dd8219f3c7255d76d6510ccb35ec7233361585
Instruction ID: 31e3bcd3776f6f868c8c3afd551b3a7e2e6b57a42f63af05b8a6b652930d063c
Opcode Fuzzy Hash: 1e962e6de027c9467138723802dd8219f3c7255d76d6510ccb35ec7233361585
Instruction Fuzzy Hash: C2C19F74E01218CFDB24DFA5D994B9DBBB2BF89300F2081A9D409AB355DB359E86CF50

Function 0563581B Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2c7df174b93d167098df8937ff2681942bcb58fe0c4cd782e895d0fcdc38c4
Instruction ID: 93517d6d0d73fcadc0b0151e85b64390f6578d4635b3ad6fbea1d5aa856349da
Opcode Fuzzy Hash: da2c7df174b93d167098df8937ff2681942bcb58fe0c4cd782e895d0fcdc38c4
Instruction Fuzzy Hash: 1EA17D74A01228CFDB65DF24C994BA9BBB2BF49301F5085EAD44EA7350DB319E81CF51

Function 056359FB Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599083f5306afcc05b247f944a3329b65ef76189613bafeb66b78c055f5f7934
Instruction ID: 75b54c3b051bd2584f918a3c908a2345a8166c980d081b9a59b7040ae8021f41
Opcode Fuzzy Hash: 599083f5306afcc05b247f944a3329b65ef76189613bafeb66b78c055f5f7934
Instruction Fuzzy Hash: E8518374A01228CFCB65DF24C854BA9BBB2FF4A301F5099EAD40AA7350DB319E81CF50

Function 05639120 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2477724745.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5630000_FylY1FW6fl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd9973891e4ea0dec1299dc61f4ad29932d1a4083c57896b9c64dea3c92cee0
Instruction ID: aa26ed1f7be13631fd3ea7f556cb6353064866fb320961a54da986f438ca2250
Opcode Fuzzy Hash: fbd9973891e4ea0dec1299dc61f4ad29932d1a4083c57896b9c64dea3c92cee0
Instruction Fuzzy Hash: C8016271851208EFD700AF70E86D3EDBB70FB5A707F559965A40AA3290D7784685EF80

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FylY1FW6fl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FylY1FW6fl.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1y4101cz.glp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knplpcic.nzw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvl14bdx.2j1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yc0fkyo0.whj.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
FylY1FW6fl.exe

Function 078F633A Relevance: 2.9, Strings: 2, Instructions: 381
COMMON

Function 078F6391 Relevance: 2.9, Strings: 2, Instructions: 375
COMMON

Function 078F6371 Relevance: 2.8, Strings: 2, Instructions: 339
COMMON

Function 078F6458 Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Function 078FD280 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Function 078FD270 Relevance: 2.7, Strings: 2, Instructions: 221
COMMON

Function 055BD1C8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 055BD1D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 055BB20B Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Function 055B449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 055B58ED Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre