Play interactive tour

Edit tour

Windows Analysis Report FA3TCAsA9E

Overview

General Information

Sample Name:	FA3TCAsA9E (renamed file extension from none to exe)
Analysis ID:	439916
MD5:	465403a9d41d410ba34e029b0831f5d8
SHA1:	368dc72252c0647c5343c290cfdf8ea4c0252344
SHA256:	8fad94268559bd4b13553e6ebcd81f00e6d86e408613cf62af4272309c374a34
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains VNC / remote desktop functionality (version string found)

Machine Learning detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

FA3TCAsA9E.exe (PID: 5608 cmdline: 'C:\Users\user\Desktop\FA3TCAsA9E.exe' MD5: 465403A9D41D410BA34E029B0831F5D8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: FA3TCAsA9E.exe PID: 5608	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: FA3TCAsA9E.exe	Virustotal: Detection: 18%			Perma Link
Source: FA3TCAsA9E.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\PECMD.exe

Joe Sandbox ML: detected

Source: 1.3.FA3TCAsA9E.exe.8de70fc.1.unpack

Avira: Label: TR/Patched.Ren.Gen

Source: FA3TCAsA9E.exe, 00000001.00000000.219020474.0000000000CCB000.00000002.00020000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: FA3TCAsA9E.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File opened: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcr71.dll

Jump to behavior

Source: FA3TCAsA9E.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp
Source:	Binary string: d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr
Source:	Binary string: msvcr71.pdb\ source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: atl71.pdbT source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp, atl71.dll.1.dr
Source:	Binary string: bootmgfw.pdb source: bootmgfw.efi.1.dr
Source:	Binary string: atl71.pdb source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp, atl71.dll.1.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\ReleseDll.vc7\XLBugHandler.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, XLBugHandler.dll.1.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: FA3TCAsA9E.exe, 00000001.00000003.238359337.0000000006399000.00000004.00000001.sdmp
Source:	Binary string: msvcp71.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: r:\depot_cont\Ghost\GSSTrunk\Ghost\Gdisk\vs2005\Win32\Release\Gdisk32.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: bcdedit.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: OSCDIMG.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233658523.0000000008EF0000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdbD0B source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: msvcr71.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: bootsect.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, bootsect.exe.1.dr

Source: global traffic

HTTP traffic detected: GET /wllinfo/newoemjsy/oemtianm.txt HTTP/1.1User-Agent: HttpClientHost: jsy.newitboy.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: jsy.newitboy.com

Source: iwll.dat.1.dr	String found in binary or memory: http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=1
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://bellard.org/qemu/user-doc.html
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://bellard.org/qemu/user-doc.htmlQEMU
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s&
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%sr
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%sHTTP://http://
Source: iwll.dat.1.dr	String found in binary or memory: http://freedos.sourceforge.net/freecom
Source: iwll.dat.1.dr	String found in binary or memory: http://grub4dos.chenall.net
Source: iwll.dat.1.dr	String found in binary or memory: http://grub4dos.chenall.net/e/%u)
Source: iwll.dat.1.dr	String found in binary or memory: http://ipxe.org/wimboot
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: iwll.dat.1.dr	String found in binary or memory: http://shsucdx.adoxa.cjb.net/
Source: FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp	String found in binary or memory: http://store.paycenter.uc.cn
Source: FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: iwll.dat.1.dr	String found in binary or memory: http://upx.sf.net
Source: iwll.dat.1.dr	String found in binary or memory: http://www.diskgenius.cn
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp, UltraISO.exe.1.dr	String found in binary or memory: http://www.ezbsystems.comDVarFileInfo$
Source: iwll.dat.1.dr	String found in binary or memory: http://www.gamers.org/~quinet/lilo/).
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.libsdl.org
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.libsdl.orgsdl_callbackSAMPLESSize
Source: FA3TCAsA9E.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll-
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xunlei.com/
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	String found in binary or memory: http://www.xunlei.com/GET
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.xunlei.com/no-cache
Source: FA3TCAsA9E.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

Source: Yara match	File source: 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FA3TCAsA9E.exe PID: 5608, type: MEMORY

Source: bootmgr.exe.mui.1.dr

Static PE information: No import functions for PE file found

Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXLBugHan.dll8 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameXLBugReport.exe. vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamezlib1.dll* vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebcdedit.exej% vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBOOTICE.EXE0 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebootsect.exej% vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefbinst.exe8 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: getOriginalFilenameString vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ^\VarFileInfo\Translation\StringFileInfo\getTranslationEntrygetTranslationStringFileDescriptiongetFileDescriptionStringLegalCopyrightgetLegalCopyrightStringCompanyNamegetCompanyNameStringFileVersiongetFileVersionStringInternalNamegetInternalNameStringOriginalFilenamegetOriginalFilenameStringProductNamegetProductNameStringProductVersiongetProductVersionStringLegalTrademarksgetLegalTrademarksStringPrivateBuildgetPrivateBuildStringSpecialBuildgetSpecialBuildStringCommentsgetCommentsString vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGdisk32.exe> vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTARGETNAMEWITHEXTENSION6 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePECMD.EXED vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMiniThunderPlatform4 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMiniTPFw.exeJ vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameminizip.dll> vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMSVCP71.DLL\ vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.238320298.0000000006390000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexldl4 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233658523.0000000008EF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMSVCR71.DLL\ vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233658523.0000000008EF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThunderFW2 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233658523.0000000008EF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThunderFW( vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSDL.dllR vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameultraiso.exeB vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000000.224687179.0000000002098000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename)Y vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameATL71.DLL< vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedl_peer_id2 vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedl_peer_id( vs FA3TCAsA9E.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedownload_interface.dll0 vs FA3TCAsA9E.exe

Source: FA3TCAsA9E.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: bootmgr.exe.mui.1.dr

Static PE information: Section .rsrc

Source: bootsect.exe.1.dr

Binary string: \ArcName\multi(0)disk(0)rdisk(1)\ArcName\multi(0)disk(0)rdisk(0)multi(%d)disk(%d)rdisk(%d)FirmwareBootDevice\Registry\Machine\SYSTEM\CurrentControlSet\Control%s\Partition%lu\Partition0SystemPartition\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart\Device\Harddisk%lu\Partition%luMININTSystemStartOptions%s%s\ArcName\multi(%d)disk(%d)rdisk(%d)partition(%d)

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/59@1/1

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

Mutant created: \Sessions\1\BaseNamedObjects\?????????

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File created: C:\Users\user\AppData\Local\Temp\400u50BLNB

Jump to behavior

Source: FA3TCAsA9E.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor WHERE (Name IS NOT NULL)

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: FA3TCAsA9E.exe	Virustotal: Detection: 18%
Source: FA3TCAsA9E.exe	ReversingLabs: Detection: 17%

Source: FA3TCAsA9E.exe	String found in binary or memory: No errorUnsupported protocolFailed initializationURL using bad/illegal format or missing URLA requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.Couldn't resolve proxy nameCouldn't resolve host nameCouldn't connect to serverWeird server replyAccess denied to remote resourceFTP: The server failed to connect to data portFTP: Accepting server connect has timed outFTP: The server did not accept the PRET command.FTP: unknown PASS replyFTP: unknown PASV replyFTP: unknown 227 response formatFTP: can't figure out the host in the PASV responseError in the HTTP2 framing layerFTP: couldn't set file typeTransferred a partial fileFTP: couldn't retrieve (RETR failed) the specified fileQuote command returned errorHTTP response code said errorFailed writing received data to disk/applicationUpload failed (at start/before it took off)Failed to open/read local data from file/applicationTimeout was reachedFTP: command PORT failedFTP: command REST failedRequested range was not delivered by the serverInternal problem setting up the POSTSSL connect errorCouldn't resume downloadCouldn't read a file:// fileLDAP: cannot bindLDAP: search failedA required function in the library was not foundOperation was aborted by an application callbackA libcurl function was given a bad argumentFailed binding local connection endNumber of redirects hit maximum amountAn unknown option was passed in to libcurlMalformed telnet optionServer returned nothing (no headers, no data)SSL crypto engine not foundCan not set SSL crypto engine as defaultFailed to initialise SSL crypto engineFailed sending data to the peerFailure when receiving data from the peerProblem with the local SSL certificateCouldn't use specified SSL cipherSSL peer certificate or SSH remote key was not OKProblem with the SSL CA cert (path? access rights?)Unrecognized or bad HTTP Content or Transfer-EncodingInvalid LDAP URLRequested SSL level failedFailed to shut down the SSL connectionFailed to load CRL file (path? access rights?, format?)Issuer check against peer certificate failedSend failed since rewinding of the data stream failedLogin deniedTFTP: File Not FoundTFTP: Access ViolationDisk full or allocation exceededTFTP: Illegal operationTFTP: Unknown transfer IDRemote file already existsTFTP: No such userConversion failedCaller must register CURLOPT_CONV_ callback optionsRemote file not foundError in the SSH layerSocket not ready for send/recvRTSP CSeq mismatch or invalid CSeqRTSP session errorUnable to parse FTP file listChunk callback failedThe max connection limit is reachedSSL public key does not match pinned public keySSL server certificate status verification FAILEDStream error in the HTTP/2 framing layerAPI function called from within callbackUnknown errorCall interruptedBad fileBad accessBad argumentInvalid argumentsOut of file descriptorsCall would blockBlocking call in progressDescriptor is not a socketNeed destination addressBad message sizeBad protocolProto
Source: FA3TCAsA9E.exe	String found in binary or memory: set-addPolicy
Source: FA3TCAsA9E.exe	String found in binary or memory: .\crypto\comp\comp_lib.cbuffer.\crypto\bio\bf_buff.cDiffie-Hellman part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\dh\dh_lib.clhash part of OpenSSL 1.0.2u 20 Dec 2019.\crypto\lhash\lhash.csetct-PIsetct-PIDatasetct-PIDataUnsignedsetct-HODInputsetct-AuthResBaggagesetct-AuthRevReqBaggagesetct-AuthRevResBaggagesetct-CapTokenSeqsetct-PInitResDatasetct-PI-TBSsetct-PResDatasetct-AuthReqTBSsetct-AuthResTBSsetct-AuthResTBSXsetct-AuthTokenTBSsetct-CapTokenDatasetct-CapTokenTBSsetct-AcqCardCodeMsgsetct-AuthRevReqTBSsetct-AuthRevResDatasetct-AuthRevResTBSsetct-CapReqTBSsetct-CapReqTBSXsetct-CapResDatasetct-CapRevReqTBSsetct-CapRevReqTBSXsetct-CapRevResDatasetct-CredReqTBSsetct-CredReqTBSXsetct-CredResDatasetct-CredRevReqTBSsetct-CredRevReqTBSXsetct-CredRevResDatasetct-PCertReqDatasetct-PCertResTBSsetct-BatchAdminReqDatasetct-BatchAdminResDatasetct-CardCInitResTBSsetct-MeAqCInitResTBSsetct-RegFormResTBSsetct-CertReqDatasetct-CertReqTBSsetct-CertResDatasetct-CertInqReqTBSsetct-ErrorTBSsetct-PIDualSignedTBEsetct-PIUnsignedTBEsetct-AuthReqTBEsetct-AuthResTBEsetct-AuthResTBEXsetct-AuthTokenTBEsetct-CapTokenTBEsetct-CapTokenTBEXsetct-AcqCardCodeMsgTBEsetct-AuthRevReqTBEsetct-AuthRevResTBEsetct-AuthRevResTBEBsetct-CapReqTBEsetct-CapReqTBEXsetct-CapResTBEsetct-CapRevReqTBEsetct-CapRevReqTBEXsetct-CapRevResTBEsetct-CredReqTBEsetct-CredReqTBEXsetct-CredResTBEsetct-CredRevReqTBEsetct-CredRevReqTBEXsetct-CredRevResTBEsetct-BatchAdminReqTBEsetct-BatchAdminResTBEsetct-RegFormReqTBEsetct-CertReqTBEsetct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoP
Source: FA3TCAsA9E.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File written: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\uikey.ini

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

Window detected: Number of UI elements: 95

Source: FA3TCAsA9E.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FA3TCAsA9E.exe

Static file information: File size 24123904 > 1048576

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File opened: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcr71.dll

Jump to behavior

Source: FA3TCAsA9E.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x309800
Source: FA3TCAsA9E.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x12b4600

Source: FA3TCAsA9E.exe

Static PE information: More than 200 imports for USER32.dll

Source: FA3TCAsA9E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FA3TCAsA9E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FA3TCAsA9E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FA3TCAsA9E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FA3TCAsA9E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FA3TCAsA9E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FA3TCAsA9E.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: FA3TCAsA9E.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp
Source:	Binary string: d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr
Source:	Binary string: msvcr71.pdb\ source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: atl71.pdbT source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp, atl71.dll.1.dr
Source:	Binary string: bootmgfw.pdb source: bootmgfw.efi.1.dr
Source:	Binary string: atl71.pdb source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp, atl71.dll.1.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\ReleseDll.vc7\XLBugHandler.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, XLBugHandler.dll.1.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: FA3TCAsA9E.exe, 00000001.00000003.238359337.0000000006399000.00000004.00000001.sdmp
Source:	Binary string: msvcp71.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: r:\depot_cont\Ghost\GSSTrunk\Ghost\Gdisk\vs2005\Win32\Release\Gdisk32.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: bcdedit.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: OSCDIMG.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233658523.0000000008EF0000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdbD0B source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp
Source:	Binary string: msvcr71.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp
Source:	Binary string: bootsect.pdb source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, bootsect.exe.1.dr

Source: FA3TCAsA9E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FA3TCAsA9E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FA3TCAsA9E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FA3TCAsA9E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FA3TCAsA9E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: FA3TCAsA9E.exe	Static PE information: section name: .giats
Source: MiniThunderPlatform.exe.1.dr	Static PE information: section name: .textbss

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bcdedit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi.mui	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgr.exe.mui	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\minizip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\UltraISO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libz-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\GDisk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libpdcurses.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniTPFw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libssp-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootsect.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\oscdimg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\SDL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\fbinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\PECMD.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\QEMU.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugReport.exe	Jump to dropped file

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File created: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi

Jump to dropped file

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard WHERE (Product IS NOT NULL)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController WHERE (description IS NOT NULL)
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController WHERE (description IS NOT NULL)

Query firmware table information (likely to detect VMs)

Show sources

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bcdedit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi.mui	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgr.exe.mui	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\minizip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\UltraISO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libz-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\GDisk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libpdcurses.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniTPFw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libssp-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootsect.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\oscdimg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\SDL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\fbinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\PECMD.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\QEMU.exe	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugReport.exe	Jump to dropped file

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem WHERE (Model IS NOT NULL)
Source: C:\Users\user\Desktop\FA3TCAsA9E.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem WHERE (Model IS NOT NULL)

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor WHERE (Name IS NOT NULL)

Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: QEMU MICRODRIVE
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: bootorderfw_cfgctl_iobasedata_iobaseQEMU
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU Microsoft Mouse
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Eusb-hubhubQEMU USB Hub)
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: host:btbt:qemu: could not add USB device '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_aer.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: ^cardchipvmware_vga_internal2jd
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: isa-debugconiobasechardevreadbackqemu: multiboot knows VBE. we don't.
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: Warning: vmware_vga not available, using standard VGA instead
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\libpdcurses.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-bus.cbus->devs[dev->id] != NULLi != bus->ndev%s@%xbad scsi device id: %dscsi-genericscsi-diskscsi-idremovabledrive
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: mon:qemu: only one watchdog option may be given
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: warning: error while loading state section id %d
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: hdad:/src/qemu/repo.or.cz/qemu/ar7/hw/hda-audio.cnode->stindex < ARRAY_SIZE(a->st)mutedr-lio?%s: nid %d (%s), verb 0x%x, payload 0x%x
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/aes.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_st8
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-disk.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU (%s)%s
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: too many serial ports
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: { 'enabled': false }{ 'enabled': true, 'clients': %p }d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc.c*ret_data != NULLvnc: out of memory
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: media=cdromqemu: unknown boot parameter '%s' in '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_timer
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc-enc-zrle-template.cpalette_size(palette) < 171.2.3VNC: error initializing zlib
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/nbd.c%s:%s():L%d: write failed
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: TxOkRxOkTxERRRxERRMissPktFAETx1ColTxMColRxOkPhyRxOkBrdTxAbtTxUndrnd:/src/qemu/repo.or.cz/qemu/ar7/hw/tnetw1130.c!(addr & 3)!(addr & 1)0x%08xaddr < TNETW1130_MEM1_SIZEACX111%-24saddr %s = 0x%08x
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: spice is not supported by this qemu build.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB SERIAL
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: warning: socket type=%d for fd=%d is not SOCK_DGRAM or SOCK_STREAM
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU PS/2 Mouse
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: nodenodeidmemqemu: invalid numa mem size: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: QEMU HARDDISK
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/efi32.bin
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: qemu: too many IDE bus
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_BOOL
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-serial-bus.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/multiboot.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/nbd.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: ide.0ide.1smbus-eepromaddressdata486pc-0.14pcStandard PCpc-0.13pc-0.12pc-0.11Standard PC, qemu 0.11pc-0.10Standard PC, qemu 0.10isapcISA-only PCvirtio-9p-pcivectors0VGArombarvmware-svgaPCIcommand_serr_enableoffvirtio-serial-pcimax_ports1virtio-blk-pciide-drivever0.11scsi-diskclass0x01800x0380virtio-net-pci0.10mingwm10.dll__mingwthr_remove_key_dtor__mingwthr_key_dtor
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_ld32
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: modechardevdefaulthci0nullhosthci,vlan=qemu: Unknown bluetooth HCI `%s'.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: `usb_createaddrstateremote_wakeupsetup_statesetup_lensetup_indexsetup_bufportd:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-desc.cdesc != NULLusb: port/device speed mismatch for "%s"
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/blockdev.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: %s: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU BT dongle
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: hardware error:
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/event_notifier.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: unsupported keyboard cmd=0x%02x
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: QEMU emulator version 0.14.50, Copyright (c) 2003-2008 Fabrice Bellard
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: (qemu)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/exec.csize >= TARGET_PAGE_SIZEBad ram pointer %p
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: QEMU DVD-ROM
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu ...
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: vvfatfatvvfat_write_target1.2.3d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2.c(acb->cluster_offset & 511) == 0acb->hd_qiov.size <= QCOW_MAX_CRYPT_CLUSTERS * s->cluster_sizeCluster size must be a power of two between %d and %dk
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu.sstep
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu-vlan%d.pcap
Source: bootmgr.exe.mui.1.dr	Binary or memory string: Hyper-V
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU Virtual CPU version 0.14.50
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU CD-ROM
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: balloon{ 'class': 'DeviceNotActive', 'data': { 'device': %s } }d:/src/qemu/repo.or.cz/qemu/ar7/balloon.cvaluedo_balloondo_info_balloonvirtio-blk missing headersvirtio-blk header not in correct elementvirtio-blk-pci: drive property not setDevice needs media, but drive is emptyvirtio-blk/disk@0,0actuald:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLvirtio-balloonunable to start vhost net: %d: falling back on userspace virtiod:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-net.c!n->vhost_startedvirtio-net ctrl missing headersvirtio-net ctrl header not in correct elementvirtio-net ctrl invalid rx mode commandvirtio-net ctrl invalid vlan commandn->vdev.vm_runningvirtio-net header not in first elementvirtio-net unexpected empty queue: i %zd mergeable %d offset %zd, size %zd, guest hdr len %zd, host hdr len %zd guest features 0x%xvirtio-net receive queue contains no in buffersvirtio-net: saved image requires vnet_hdr=onvirtio-net: saved image requires TUN_F_UFO supportvirtio-nettimerbhvirtio-net: Unknown option tx=%s, valid options: "timer" "bh"Defaulting to "bh"/ethernet-phy@0
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_bridge.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/qdict.ce != NULLe->key != NULLe->value != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLobj != NULLqobject_type(obj) == typeobj
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu32
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: qemu: multiboot knows VBE. we don't.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-bus.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: invalid numa mem size: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: vmware-svga
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: isabus-bridgeisa irq %d invalidd:/src/qemu/repo.or.cz/qemu/ar7/hw/isa-bus.cdev->nirqs < ARRAY_SIZE(dev->isairq)dev->nioports < ARRAY_SIZE(dev->ioports)Tried to create isa device %s with no isa bus present.isaISA0x%016llxtaddrVGAvgabios-stdvga.binvga
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/efi64.bino
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: qemu: error reading initrd %s
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: %dcylsheadssecstransqemu: too many NUMA nodes
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/vdi.cacb->bmap_first != VDI_UNALLOCATED!acb->header_modifiedsizestatic<<< QEMU VM Virtual Disk Image >>>
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ZGQEMU Microsoft Moused:/src/qemu/repo.or.cz/qemu/ar7/hw/ps2.c%s:%u %s(%d)
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: { 'offset': %d }d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLd:/src/qemu/repo.or.cz/qemu/ar7/vl.cdev != NULL \|\| suffix != NULLTwo devices with same boot index %d
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: RNDIS/QEMU USB Network Device
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: virtfs is not supported by this qemu build.
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci.csize == pci_config_size(container_of(pv, PCIDevice, config))len == 1 \|\| len == 2 \|\| len == 4pci%04x,%04x%s@%x,%xi/omemVGA controllerClass %04x%*sclass %s, addr %02x:%02x.%x, pci id %04x:%04x (sub %04x:%04x)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: warning: error while loading state for instance 0x%x of device '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMU 0.14.50Wacom PenPartner10l`=l`Nl`
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: endnopnop1nop2nop3nopndiscardset_labelcalljmpbrmov_i32movi_i32setcond_i32ld8u_i32ld8s_i32ld16u_i32ld16s_i32ld_i32st8_i32st16_i32st_i32add_i32sub_i32mul_i32div2_i32divu2_i32and_i32or_i32xor_i32shl_i32shr_i32sar_i32rotl_i32rotr_i32brcond_i32add2_i32sub2_i32brcond2_i32mulu2_i32setcond2_i32ext8s_i32ext16s_i32ext8u_i32ext16u_i32bswap16_i32bswap32_i32not_i32neg_i32debug_insn_startexit_tbgoto_tbqemu_ld8uqemu_ld8sqemu_ld16uqemu_ld16sqemu_ld32qemu_ld64qemu_st8qemu_st16qemu_st32qemu_st64
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: 0x%08lx: snapshotondriverhinvalid optionrequires an argumentQEMU emulator version 0.14.50, Copyright (c) 2003-2008 Fabrice Bellard
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: D%lldd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qstring.cobj != NULL
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: monitor_read_bdrv_key_startmonitor_read_passwordname:s?[cmd]show the helpcommitdevice:Bdevice\|allcommit changes to the disk images (if -snapshot is used) or backing filesq\|quitquit the emulatorblock_resizedevice:B,size:odevice sizeresize a block imageejectforce:-f,device:B[-f] deviceeject a removable medium (use -f to force it)drive_delid:sremove host block devicechangedevice:B,target:F,arg:s?device filename [format]change a removable medium, optional formatscreendumpfilename:Fsave screen into PPM image 'filename'logfileoutput logs to 'filename'items:sitem1[,...]activate logging of the specified items to '/tmp/qemu.log'savevm[tag\|id]save a VM snapshot. If no tag or id are provided, a new snapshot is createdloadvmname:stag\|idrestore a VM snapshot from its tag or iddelvmdelete a VM snapshot from its tag or idoption:s?[on\|off]run emulation in singlestep mode or switch to normal modestopstop emulationc\|contresume emulationgdbserverdevice:s?[device]start gdbserver on given device (default 'tcp::1234'), stop with 'none'xfmt:/,addr:l/fmt addrvirtual memory dump starting at 'addr'xpphysical memory dump starting at 'addr'p\|printfmt:/,val:l/fmt exprprint expression value (use $reg for CPU register access)ifmt:/,addr:i,index:i.I/O port readofmt:/,addr:i,val:i/fmt addr valueI/O port writestring:s,hold_time:i?keys [hold_ms]send keys to the VM (e.g. 'sendkey ctrl-alt-f1', default hold time=100 ms)system_resetreset the systemsystem_powerdownsend system power down eventsumstart:i,size:iaddr sizecompute the checksum of a memory regionusb_adddevname:sadd USB device (e.g. 'host:bus.addr' or 'host:vendor_id:product_id')usb_delremove USB device 'bus.addr'device_adddevice:Odriver[,prop=value][,...]add device, like -device on the command linedevice_delremove devicecpuindex:iset the default CPUmouse_movedx_str:s,dy_str:s,dz_str:s?dx dy [dz]send mouse move eventsmouse_buttonbutton_state:istatechange mouse button state (1=L, 2=M, 4=R)mouse_setset which mouse device receives eventswavcapturepath:F,freq:i?,bits:i?,nchannels:i?path [frequency [bits [channels]]]capture audio to a wave file (default frequency=44100 bits=16 channels=2)stopcapturen:icapture indexstop capturememsaveval:l,size:i,filename:saddr size filesave to disk virtual memory dump starting at 'addr' of size 'size'pmemsavesave to disk physical memory dump starting at 'addr' of size 'size'boot_setbootdevice:sdefine new values for the boot device listnmicpu_index:iinject an NMI on the given CPUmigratedetach:-d,blk:-b,inc:-i,uri:s[-d] [-b] [-i] urimigrate to URI (using -d to not wait for completion)
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/hd.vmdk
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pc.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Net RNDIS
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-serial-bus.cportvirtio_queue_ready(vq)maximum ports supported: %uvirtio-serialvirtio-consolevirtio-serial-bus@<A
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_NUMBER
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: typetokend:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLexpected separator in dictexpecting valueexpected separator in list%p%i%d%ld%lld%I64d%s%ftruefalseinvalid keyword `%s'"'\/
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/cutils.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU PenPartner Tablet
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: <<< QEMU VM Virtual Disk Image >>>
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu.log
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/vl.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: c:/Program Files/Qemu
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: rbqemu: could not load kernel '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ran out of space in vm_config_groups%63[^.].%63[^.].%63[^=]%ncan't parse: "%s"there is no %s "%s" defined%63[^.].%63[^=]%ndriverpropertyvalue# qemu config file
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: could not open parallel device '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/smbus.cinfo->i2c.qdev.size >= sizeof(SMBusDevice)smbus-eepromdatauint16_from_uint8 is used only for backwards compatibility.
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu64
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net/dump.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULL{ 'client': %p, 'server': %p }
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_ld16s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: error: getsockopt(SO_TYPE) for fd=%d failed
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_ld16u
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: {'name': %s }{}{ 'running': %i, 'singlestep': %i }{ 'enabled': false, 'present': false }%02hhx%02hhx%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx{ 'UUID': %s }{ 'CPU': %d, 'current': %i, 'halted': %i }pcd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/monitor.cqobject_type(data) == QTYPE_QLISTnindexa CPU number{ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }0.14.50{ 'qemu': { 'major': %d, 'minor': %d, 'micro': %d }, 'package': %s }{ 'name': %s }quitversionquery-%sprotocoltimenowneverspice{ 'class': 'DeviceNotActive', 'data': { 'device': %s } }vnc{ 'class': 'SetPasswdFailed', 'data': {} }{ 'class': 'InvalidParameter', 'data': { 'name': %s } }passwordconnectedfaildisconnectkeepfdname{ 'class': 'FdNotFound', 'data': { 'name': %s } }{ 'class': 'FdNotSupplied', 'data': {} }a name not starting with a digitcpu_indexbankstatusmcg_statusaddrmiscbroadcasthostnamecert-subjectporttls-portbutton_statedx_strdy_strdz_strsizeval{ 'class': 'MigrationExpected', 'data': {} }namefilename.../(qemu) unsupported escape code: '\%c'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_opts_validate
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_ld64
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: 5E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E<3E76Ed:/src/qemu/repo.or.cz/qemu/ar7/console.cd < ds->surface->data + ds->surface->linesize * ds->surface->heighteLEtMEHME
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/intel-hda.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: Vd:/src/qemu/repo.or.cz/qemu/ar7/hw/msi.cvector < PCI_MSI_VECTORS_MAX!(nr_vectors & (nr_vectors - 1))nr_vectors > 0nr_vectors <= PCI_MSI_VECTORS_MAXvector < nr_vectorsflags & PCI_MSI_FLAGS_MASKBITd:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_host.clen == 1 \|\| len == 2 \|\| len == 4d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_host.clen == 1 \|\| len == 2 \|\| len == 4!(size & (size - 1))size >= PCIE_MMCFG_SIZE_MINsize <= PCIE_MMCFG_SIZE_MAX\|
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qjson.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-timer.calarm_has_dynticks(t)Failed to rearm win32 alarm timer: %ld
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_st32
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/i2c.cinfo->qdev.size >= sizeof(i2c_slave)addressi2c_slave9:`
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: error: init_dgram: fd=%d failed getsockname(): %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu.logcpu_common
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: could not add USB device '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: !(flags & QEMU_NET_PACKET_FLAG_RAW)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_popen: Argument validity check failed
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/tcg/i386/tcg-target.cloc%dtmp%d@XRlXR
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net.c!(flags & QEMU_NET_PACKET_FLAG_RAW)model=%s,macaddr=%02x:%02x:%02x:%02x:%02x:%02xinfo->size >= sizeof(VLANClientState)%s.%d!peer!peer->peerinfo->type == NET_CLIENT_TYPE_NICinfo->size >= sizeof(NICState)unknown VLAN %d
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: parallel%dqemu: could not open parallel device '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]brailleusb-braillechardevvendorid=bogus vendor ID %sproductid=bogus product ID %sunrecognized serial USB option %scharacter device specification neededusb-serialvendoridproductidusbserial%dProperty chardev is requiredQEMU USB SerialserialQEMU USB Braille
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Hub
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: vmware_vga_internal
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: unsupported bluetooth device `%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: keyboardqemu: unsupported bluetooth device `%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: cpuawallqemu: fatal:
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: cxsparsevpcVirtual disk sized:/src/qemu/repo.or.cz/qemu/ar7/block/vvfat.c(offset % array->item_size) == 0offset/array->item_size < array->nextindex < array->nextmapping->begin < mapping->endindex2!=index3 \|\| index2==0index1<=index2index >=0index + count <= array->nextmapping->begin<=cluster_num && mapping->end>cluster_nummappingmapping->begin == first_clustermapping == array_get(&(s->mapping), s->mapping.next - 1) \|\| mapping[1].begin >= ccount > 0!s->current_mapping \|\| s->current_fd \|\| (s->current_mapping->mode & MODE_DIRECTORY)((s->cluster-(unsigned char)s->directory.pointer)%s->cluster_size)==0(char)s->cluster+s->cluster_size <= s->directory.pointer+s->directory.next*s->directory.item_sizes->current_fddirentrymapping->info.dir.first_dir_index < s->directory.nextmapping->mode & MODE_DIRECTORYQEMU!strncmp(s->directory.pointer, "QEMU", 4)dir_index == 0 \|\| is_directory(direntry)offset < size(offset % s->cluster_size) == 0Could not open %s... (%s, %d)
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: s\QEMU\vgabios-stdvga.bin
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: set QEMU_WAV_PATH=c:\tune.wav
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: `K^devreboot_enabledclock_scaleint_typefree_runlockedenabledtimertimer1_preloadtimer2_preloadstageunlock_stateprevious_reboot_flagd:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie.cPCI_FUNC(pci_dev->devfn) == 0next >= PCI_CONFIG_SPACE_SIZEnext <= PCIE_CONFIG_SPACE_SIZE - 8pci_is_express(dev)pos > 0vector < 32offset >= PCI_CONFIG_SPACE_SIZEoffset < offset + sizeoffset + size < PCIE_CONFIG_SPACE_SIZEsize >= 8prev >= PCI_CONFIG_SPACE_SIZEnext == 0!(next & (PCI_EXT_CAP_ALIGN - 1))d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_aer.cerr->statuserr->status & (err->status - 1)!(err->flags & PCIE_AER_ERR_TLP_PREFIX_PRESENT)vector < PCI_ERR_ROOT_IRQ_MAX!retaer_log->log_numd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLqobject_type(data) == QTYPE_QDICTdevfnbusdomainidOK id: %s domain: %x, bus: %x devfn: %x.%x
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: bad HCI packet type %02x
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie_host.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: bad bluetooth parameter '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: invalid ram size: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/blkdebug.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: virtio-serialvirtconsolevirtcon%dqemu: could not open virtio console '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/ide/pci.h
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Virtual disk sizereadwriteignoreenospcstopreport'%s' invalid %s error action %s{ 'class': 'DeviceNotRemovable', 'data': { 'device': %s } }d:/src/qemu/repo.or.cz/qemu/ar7/blockdev.c{ 'class': 'DeviceLocked', 'data': { 'device': %s } }driveif%dindexfiledinfo->refcount-hd-cdscsiidebusunitcylsheadssecssnapshotreadonlyserialunsupported bus type '%s'invalid physical cyls numberinvalid physical heads numberinvalid physical secs numbertrans'%s' trans must be used with cyls,heads and secsnonelbaauto'%s' invalid translation typemediadiskcdrom'%s' invalid physical CHS format'%s' invalid mediacacheoffwritebackunsafewritethroughinvalid cache optionformat?Supported formats:
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: dp8381xd:/src/qemu/repo.or.cz/qemu/ar7/hw/dp8381x.caddr < 0x80 && !(addr & 3)addr >= 0x80 && addr < 0x100 && !(addr & 3)DP8381X %-24slen=%u
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: csrhci_in_packetcsrhci_in_packet_vendorqemu file buffer expansion failed
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-bus.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/savevm.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/smbus.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_cond_init
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: S_onoff'on' or 'off'{ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }d:/src/qemu/repo.or.cz/qemu/ar7/qemu-option.ca sizeYou may use k, M, G or T suffixes for kilobytes, megabytes, gigabytes and terabytes.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu-icon.bmp
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: %s,cyls=%d,heads=%d,secs=%d%slbaautoqemu: invalid physical CHS format
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: spicespice is not supported by this qemu build.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: Can't open `%s': %s (%i)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: fatal:
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/ioh3420.c
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/vgabios-stdvga.bin
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_thread_init
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_fopen: Argument validity check failed
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: isa-debugconnoneqemu: too many virtio consoles
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: Too many bluetooth HCIs (max %i).
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\libssp-0.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-bus.cport != NULLUSB support not enabled
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: -d item1,... output log to /tmp/qemu.log (use -d ? for a list of log items)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: !strncmp(s->directory.pointer, "QEMU", 4)
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\libz-1.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu.wav
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemuusage: %s [options] [disk_image]
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-refcount.cmeta_offset >= (s->free_cluster_index * s->cluster_size)size > 0 && size <= s->cluster_sizel1_size == s->l1_sizeERROR refcount block %d is not cluster aligned; refcount table entry corrupted
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qint.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qbool.cobj != NULL
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: cloop.dmg1.2.3dmgBochs Virtual HD ImageRedologGrowingbochssizeconectixblock-vpc: The header checksum of '%s' is incorrect.
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: bad scatternet '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: unrecognised bluetooth vlan Id
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: hosthostnamedhcpstartdnstftpbootfilesmbsmbserverip/24netrestrictnet=%s, restricted=%cchannel,d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qint.cobj != NULL
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Net CDC
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/eepro100.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: too many virtio consoles
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU_AUDIO_DRVCould not initialize audio subsystem
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: QEMUQEMU DVD-ROMQEMU HARDDISKQEMU MICRODRIVE
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-pci.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: xend will use this when starting qemu
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu-icon.bmprbspaceexclamquotedblnumbersigndollarpercentampersandapostropheparenleftparenrightasteriskpluscommaminusperiodslash023456789colonsemicolonlessequalgreaterquestionatABCDEFGHIJKLMNOPQRSTUVWXYZbracketleftbackslashbracketrightasciicircumunderscoregraveabcdefghijklmnopqrstuvwxyzbraceleftbarbracerightasciitildenobreakspaceexclamdowncentsterlingcurrencyyenbrokenbarsectiondiaeresiscopyrightordfeminineguillemotleftnotsignhyphenregisteredmacrondegreeplusminustwosuperiorthreesuperioracutemuparagraphperiodcenteredcedillaonesuperiormasculineguillemotrightonequarteronehalfthreequartersquestiondownAgraveAacuteAcircumflexAtildeAdiaeresisAringAECcedillaEgraveEacuteEcircumflexEdiaeresisIgraveIacuteIcircumflexIdiaeresisETHEthNtildeOgraveOacuteOcircumflexOtildeOdiaeresismultiplyOobliqueOslashUgraveUacuteUcircumflexUdiaeresisYacuteTHORNThornssharpagraveaacuteacircumflexatildeadiaeresisaringaeccedillaegraveeacuteecircumflexediaeresisigraveiacuteicircumflexidiaeresisethntildeograveoacuteocircumflexotildeodiaeresisdivisionoslashoobliqueugraveuacuteucircumflexudiaeresisyacutethornydiaeresisEuroSignControl_LControl_RAlt_LAlt_RCaps_LockMeta_LMeta_RShift_LShift_RSuper_LSuper_RBackSpaceTabReturnRightLeftUpDownPage_DownPage_UpInsertDeleteHomeEndScroll_LockF1F2F3F4F5F6F7F8F9F10F11F12F13F14F15Sys_ReqKP_0KP_1KP_2KP_3KP_4KP_5KP_6KP_7KP_8KP_9KP_AddKP_DecimalKP_DivideKP_EnterKP_EqualKP_MultiplyKP_SubtracthelpMenuPowerPrintMode_switchMulti_KeyNum_LockPauseEscapeE
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Dd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qlist.cobj != NULLobj->type->destroy != NULL
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: serial%dqemu: could not open serial device '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: # qemu config file
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_st64
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: Unknown bluetooth HCI `%s'.
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/libpdcurses.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: vhciqemu: bad scatternet '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU Bluetooth HID
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMUf
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/isa-bus.c
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\QEMU.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/SDL.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: Kd:/src/qemu/repo.or.cz/qemu/ar7/tcg/tcg.c%s:%d: tcg fatal error
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Serial
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: invalid resolution or depth
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: cpudefqemu64phenomcore2duokvm64qemu32kvm32coreduo486pentiumpentium2pentium3athlonn270fpuvmedepsetscmsrpaemcecx8apicsepmtrrpgemcacmovpatpse36pnclflushdsacpimmxfxsrssesse2sshttmia64pbepni\|sse3pclmuldqdtes64monitords_cplvmxsmxesttm2ssse3cidfmacx16xtprpdcmdcasse4.1\|sse4_1sse4.2\|sse4_2x2apicmovbepopcntaesxsaveosxsaveavxsyscallnxmmxextfxsr_optpdpe1gbrdtscplm3dnowext3dnowlahf_lmcmp_legacysvmextapiccr8legacyabmsse4amisalignsse3dnowprefetchosvwibsxopskinitwdtfma4cvt16nodeid_msrkvmclockkvm_nopiodelaykvm_mmukvm_asyncpfnptlbrvsvm_locknrip_savetsc_scalevmcb_cleanflushbyasiddecodeassistspause_filterpfthresholdUnknown error %d
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: OKT02E14E22qemu.sstepbitsENABLE=%x,NOIRQ=%x,NOTIMER=%xqemu.sstep0x%xCQC1fThreadInfosThreadInfom%xlThreadExtraInfo,CPU#%d [%s]Rcmd,E01SupportedPacketSize=%x
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: Unsupported NIC model: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU %s monitor - type 'help' for more information
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/e100.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ddtypetokenxyd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLparse error:
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: c:/Program Files/QemuNumber of SMP cpus requested (%d), exceeds max cpus supported by machine `%s' (%d)
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: Please report this to qemu-devel@nongnu.org
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/tnetw1130.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qfloat.cobj != NULL
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/QEMU.exe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: error: init_dgram: fd=%d unbound, cannot setup multicast dst addr
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pcie.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/scsi-disk.cr->req.aiocb == NULLscsi-disk: Bad write tag 0x%x
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: bt_l2cap_sdp_sdu_inhttp://bellard.org/qemu/user-doc.htmlQEMU 0.14.50QEMU Bluetooth HIDQEMU Keyboard/Mouse%s: ACL packet too short (%iB)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: E, obj->type->destroy != NULL: d:/src/qemu/repo.or.cz/qemu/ar7/qjson.cobj != NULLd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULL
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: { 'class': 'BadBusForDevice', 'data': { 'device': %s, 'bad_bus_type': %s } }QDict not specifiedinvalid format '%s'd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLerror format is not a QDict '%s'classmissing 'class' key in '%s''class' key value should be a QStringdatamissing 'data' key in '%s''data' key value should be a QDICTerror format '%s' not foundd:/src/qemu/repo.or.cz/qemu/ar7/qerror.cqerror->entry != NULLexpected '%c' in '%s'key '%s' not found in QDictinvalid type '%c'obj->type->destroy != NULL%sobj != NULLDevice '%(device)' can't go on a %(bad_bus_type) busBus '%(bus)' not found{ 'class': 'BusNotFound', 'data': { 'bus': %s } }Bus '%(bus)' does not support hotplugging{ 'class': 'BusNoHotplug', 'data': { 'bus': %s } }The command %(name) has not been found{ 'class': 'CommandNotFound', 'data': { 'name': %s } }Device '%(device)' is encrypted{ 'class': 'DeviceEncrypted', 'data': { 'device': %s } }Device '%(device)' could not be initialized{ 'class': 'DeviceInitFailed', 'data': { 'device': %s } }Device '%(device)' is in use{ 'class': 'DeviceInUse', 'data': { 'device': %s } }Device '%(device)' is locked{ 'class': 'DeviceLocked', 'data': { 'device': %s } }Device '%(device)' has multiple child busses{ 'class': 'DeviceMultipleBusses', 'data': { 'device': %s } }Device '%(device)' has not been activated{ 'class': 'DeviceNotActive', 'data': { 'device': %s } }Device '%(device)' is not encrypted{ 'class': 'DeviceNotEncrypted', 'data': { 'device': %s } }Device '%(device)' not found{ 'class': 'DeviceNotFound', 'data': { 'device': %s } }Device '%(device)' is not removable{ 'class': 'DeviceNotRemovable', 'data': { 'device': %s } }Device '%(device)' has no child bus{ 'class': 'DeviceNoBus', 'data': { 'device': %s } }Device '%(device)' does not support hotplugging{ 'class': 'DeviceNoHotplug', 'data': { 'device': %s } }Duplicate ID '%(id)' for %(object){ 'class': 'DuplicateId', 'data': { 'id': %s, 'object': %s } }File descriptor named '%(name)' not found{ 'class': 'FdNotFound', 'data': { 'name': %s } }No file descriptor supplied via SCM_RIGHTS{ 'class': 'FdNotSupplied', 'data': {} }Invalid block format '%(name)'{ 'class': 'InvalidBlockFormat', 'data': { 'name': %s } }Invalid parameter '%(name)'{ 'class': 'InvalidParameter', 'data': { 'name': %s } }Invalid parameter type, expected: %(expected){ 'class': 'InvalidParameterType', 'data': { 'name': %s,'expected': %s } }Parameter '%(name)' expects %(expected){ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }Password incorrect{ 'class': 'InvalidPassword', 'data': {} }Invalid JSON syntax{ 'class': 'JSONParsing', 'data': {} }Using KVM without %(capability), %(feature) unavailable{ 'class': 'KVMMissingCap', 'data': { 'capability': %s, 'feature': %s } }An incoming migration is expected before this command can be executed{ 'class': 'MigrationExpected', 'data': {} }Parameter '%(name)' is missing{ 'class': 'MissingParameter', 'data': { 'name': %s } }No '%(bus)' bus found for device '%(devi
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ^QEMU 0.14.5010
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: warning: adding a slave device to an empty scatternet %i
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: hpetisa-pitisa-serialindexchardevisa-paralleli8042vmportvmmouseps2_mouseport92isa-fdcdriveAdriveBlsi53c895apc_vga_initShutdown
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: \\.\//./qemd:/src/qemu/repo.or.cz/qemu/ar7/block.cp != NULL!bs->peerbs != bs_snapshotsdrv != NULLbs->peer == qdevqcow2sizebacking_fmtraw%sbs->drvreportignorestopreadwrite{ 'device': %s, 'action': %s, 'operation': %s }d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULLunknown{ 'device': %s, 'type': %s, 'removable': %i, 'locked': %i }{ 'file': %s, 'ro': %i, 'drv': %s, 'encrypted': %i }%lld%0.1f%c%lld%cKMGTVM CLOCKDATEVM SIZETAGID%-10s%-20s%7s%20s%15s%Y-%m-%d %H:%M:%S%02d:%02d:%02d.%03dbs->in_use != in_useUnknown file format '%s'Unknown protocol '%s'Invalid options for file format '%s'.Backing file not supported for file format '%s'Backing file format not supported for file format '%s'Error: Trying to create an image with the same filename as the backing fileUnknown backing file format '%s'Could not open '%s'Image creation needs a size parameterFormatting '%s', fmt=%s Formatting or formatting option not supported for file format '%s'The image size is too large for file format '%s'%s: error while creating %s: %sKMGT
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_cond_destroy
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: tried to set invalid watchpoint at %016llx, len=%llu
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: qemu: could not load PC BIOS '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qed.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: stdcirrusvmwarexenfbqxlUnknown vga type: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: %^port.br.devport.br.dev.exp.aer_logd:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_upstream.c!tmpx3130-upstreamportTI X3130 Upstream Port of PCI Express Switchaer_log_maxxio3130-express-upstream-portIKc
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\SDL.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: '%(device)' uses a %(format) feature which is not supported by this qemu version: %(feature)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: FnetworkQEMU USB Network Interface
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU PenPartner tablet
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU VVFAT
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/balloon.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMU PenPartner tabletusb-wacom-tabletQEMU PenPartner Tabletwacom-tabletj
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_opt_set
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/tcg/i386/tcg-target.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_upstream.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB BRAILLE
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: invalid physical CHS format
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: id+id1id6idDidHid6id6id6id6id6id6id6id6id6idQidvmsvga_value_writevmsvga_value_readvmware_vga
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: cpu-indexcommand-lineQEMU %s monitor - type 'help' for more information
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qerror.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: vmmouse
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/sysbus.cn >= 0 && n < dev->num_irqn >= 0 && n < dev->num_mmiodev->num_irq < QDEV_MAX_IRQdev->num_irq == 0dev->num_mmio < QDEV_MAX_MMIOdev->num_pio < QDEV_MAX_PIOinfo->qdev.size >= sizeof(SysBusDevice)System%s@%04x%*sisa irqs %d,%d
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qstring.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: Supported NIC models:
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/vdi.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/monitor.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: set QEMU_AUDIO_DRV=wav
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/lsi53c895a.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: translation (t=none or lba) (usually qemu can guess them)
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/hda-audio.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: /dev/vhci/dev/hci_vhciqemu: Can't open `%s': %s (%i)
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/tcg/tcg.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB RNDIS Netusbnet: unknown OID 0x%08x
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Net Subset
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: clonedsocket: fd=%d (%s mcast=%s:%d)qemu: error: init_dgram: fd=%d failed getsockname(): %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu.sstepbits
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Ed:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULL%lld"\u%04X\"\\\b\f\n\r\t{
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/i2c.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/cutils.cqiov->nalloc != -1dst->nalloc != -1
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMU 0.14.50314159
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qbool.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: N^statussource_idflagsheaderprefixd:/src/qemu/repo.or.cz/qemu/ar7/hw/e100.clen < sizeof(s->pkt_buf)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: [Stopped] - Press Ctrl-Alt-Shift to exit mouse grab - Press Right-Ctrl to exit mouse grab - Press Ctrl-Alt to exit mouse grabQEMU (%s)%sQEMU (%s)QEMU%sQEMUCould not open SDL display (%dx%dx%d): %s
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\QEMU.exexe
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: dump file path (default is qemu-vlan0.pcap)
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: only one watchdog option may be given
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: usb-msd: drive property not set/disk@0,0storageQEMU USB MSDdisklogical_block_sizephysical_block_sizemin_io_sizeopt_io_sizebootindexdiscard_granularityremovable
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: error %i reading the PDU
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev-properties.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: `qemu_fopen: Argument validity check failed
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc-enc-zrle-template.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: <A(<A%s: unable to init event notifier: %d%s: unable to map ioeventfd: %d%s: unable to unmap ioeventfd: %dd:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-pci.cr >= 0%s: failed. Fallback to a userspace (slower).%s: unexpected address 0x%x value 0x%xtCA
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: socket(PF_INET, SOCK_DGRAM)setsockopt(SOL_SOCKET, SO_REUSEADDR)bindsetsockopt(IP_ADD_MEMBERSHIP)setsockopt(SOL_IP, IP_MULTICAST_LOOP)setsockopt(IP_MULTICAST_IF)qemu: error: getsockopt(SO_TYPE) for fd=%d failed
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: too many NUMA nodes
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_opts_create
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU: Terminated
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB HARDDRIVE
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Braille
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: too many parallel ports
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: c:/Program Files/Qemu/qemu.conf
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: already have a debugcon device
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: m_d:/src/qemu/repo.or.cz/qemu/ar7/aes.cin && out && keyin && out && key && ivecP
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU waiting for connection on: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMU 0.14.50QEMU USB HARDDRIVE1Full speed config (usb 1.1)High speed config (usb 2.0),g`9g`Lg`Ng`jg`
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: /d:/src/qemu/repo.or.cz/qemu/ar7/savevm.c!se->compat \|\| se->instance_id == 0alias_id == -1 \|\| required_for_version >= vmsd->minimum_version_id!sub_vmsd->subsections!vmsd->subsectionsstate blocked by non-migratable device '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: device:qemu: unrecognised bluetooth vlan Id
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: could not open virtio console '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU Keyboard/Mouse
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_thread_create
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: WAV renderer http://wikipedia.org/wiki/WAVqemu.wavwav_init_outRIFFWAVEfmt
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Net Data Interface
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: %llxQED{ 'class': 'UnknownBlockFormatFeature', 'data': { 'device': %s, 'format': %s, 'feature': %s } }qedbdrv_qed_openVirtual disk size (in bytes)File name of a base imageImage format of the base imageCluster size (in bytes)L1/L2 table size (in clusters)d:/src/qemu/repo.or.cz/qemu/ar7/block/qed-table.crequest->l2_table != NULLWithoutFreeSpaceparallels:exportname=nbd:unix:nbdd:/src/qemu/repo.or.cz/qemu/ar7/block/blkdebug.c(int)event >= 0 && event < BLKDBG_EVENT_MAXblkdebug:reventstateerrnoonceimmediatelynew_stateblkdebuginject-errorset-statel1_updatel1_grow.alloc_tablel1_grow.write_tablel1_grow.activate_tablel2_loadl2_updatel2_update_compressedl2_alloc.cow_readl2_alloc.writereadread_aioread_backingread_backing_aioread_compressedwrite_aiowrite_compressedvmstate_loadvmstate_savecow_readcow_writereftable_loadreftable_growrefblock_loadrefblock_updaterefblock_update_partrefblock_allocrefblock_alloc.hookuprefblock_alloc.writerefblock_alloc.write_blocksrefblock_alloc.write_tablerefblock_alloc.switch_tablecluster_alloccluster_alloc_bytescluster_freey
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: -vga [std\|cirrus\|vmware\|qxl\|xenfb\|none]
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: at most 2047 MB RAM can be simulated
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB MSD
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_SIZE
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: no!permit_abbrev \|\| list->implied_opt_nameid=,id=opts->list->desc[0].name == NULLqemu_opts_validateparse_option_boolparse_option_numberparse_option_sizeqemu_opts_createqemu_opt_set
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: invalid option value '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: %127[^/]%n!path[0]{ 'class': 'BusNotFound', 'data': { 'bus': %s } }path[pos] == '/' \|\| !path[pos]0{ 'class': 'DeviceNotFound', 'data': { 'device': %s } }devices at "%s":/"%s"{ 'class': 'DeviceNoBus', 'data': { 'device': %s } }{ 'class': 'DeviceMultipleBusses', 'data': { 'device': %s } }{ 'class': 'BadBusForDevice', 'data': { 'device': %s, 'bad_bus_type': %s } }{ 'class': 'NoBusForDevice', 'data': { 'device': %s, 'bus': %s } }{ 'class': 'DeviceInitFailed', 'data': { 'device': %s } }deviceiddo_device_delqdev_unplugqdev_device_addqbus_find<unset>%02x.%x%02x:%02x:%02x:%02x:%02x:%02x%d<null>%s"%s"0x%llx%llu0x%x%u%x.%x%n%x%nonoffd:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev-properties.cprop->info->type == PROP_TYPE_BITdriverpropertyvalue{ 'class': 'PropertyNotFound', 'data': { 'device': %s, 'property': %s } }{ 'class': 'PropertyValueInUse', 'data': { 'device': %s, 'property': %s, 'value': %s } }{ 'class': 'PropertyValueBad', 'data': { 'device': %s, 'property': %s, 'value': %s } }{ 'class': 'PropertyValueNotFound', 'data': { 'device': %s, 'property': %s, 'value': %s } }%s: property "%s.%s" not found
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: @show the version of QEMUnetworkshow the network statechardevshow the character devicesblockshow the block devicesblockstatsshow block device statisticsregistersshow the cpu registerscpusshow infos for each CPUhistoryshow the command line historyirqshow the interrupts statistics (if available)picshow i8259 (PIC) statepcishow PCI infotlbshow virtual to physical memory mappingsmemshow the active virtual memory mappingsjitshow dynamic compiler infokvmshow KVM informationnumashow NUMA informationusbshow guest USB devicesusbhostshow host USB devicesprofileshow profiling informationcaptureshow capture informationsnapshotsshow the currently saved VM snapshotsshow the current VM status (running\|paused)pcmciashow guest PCMCIA statusmiceshow which guest mouse is receiving eventsshow the vnc server statusshow the current VM nameuuidshow the current VM UUIDusernetshow user network stack connection statesshow migration statusshow balloon informationqtreeshow device treeqdmshow qdev device model listromsshow roms
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/dp8381x.c
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/bios.bin
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/virtio-net.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU (%s)QEMUaudio already running
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/multiboot.cs->mb_mods_count < s->mb_mods_avail%s %smultiboot.binioapicne2k_isae1000qemu: too many IDE bus
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Net RNDIS Control Interface
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/usb-desc.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_BOOLopt->desc && opt->desc->type == QEMU_OPT_NUMBERopt->desc && opt->desc->type == QEMU_OPT_SIZE{ 'class': 'InvalidParameter', 'data': { 'name': %s } }idd:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULL%lldn < sizeof(buf)%.17g-._an identifierIdentifiers consist of letters, digits, '-', '.', '_', starting with a letter.
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_st16
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU_AUDIO_DRV
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: bad parameter '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: { 'qemu': { 'major': %d, 'minor': %d, 'micro': %d }, 'package': %s }
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: Standard PC, qemu 0.10
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: Standard PC, qemu 0.11
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU CD-ROM QEMU HARDDISK \|
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: W@(^port.br.devport.br.dev.exp.aer_log{ 'action': %s }d:/src/qemu/repo.or.cz/qemu/ar7/qobject.hobj->type != NULLobj->type->destroy != NULL?%s%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: http://bellard.org/qemu/user-doc.html
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: Vd:/src/qemu/repo.or.cz/qemu/ar7/hw/ioh3420.c!tmpioh3420portchassisslotIntel IOH device id 3420 PCIE Root Portaer_log_maxioh-3240-express-root-port@Jc
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Too Many NICsnetdevnetdev '%s' not foundvlanmodeladdrmacaddrinvalid syntax for ethernet addressvectorsinvalid # of vectors: %d?qemu: Supported NIC models: %s%cqemu: Unsupported NIC model: %sNo file descriptor named %s foundnonetype{ 'class': 'MissingParameter', 'data': { 'name': %s } }tapusersocketa netdev backend type{ 'class': 'InvalidParameterValue', 'data': { 'name': %s, 'expected': %s } }{ 'class': 'InvalidParameter', 'data': { 'name': %s } }nameidnic{ 'class': 'DeviceInitFailed', 'data': { 'device': %s } }a network client typedeviceoptsinvalid host network device %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/ui/vnc.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: H^tncmpfsbperiodwrap_flagqemu_timerREV x01x13x0fx00x00x03OSK0OSK1NATJMSSPMSSDx3WARNING: Using AppleSMC with invalid key
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-option.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: usb-bt-dongleQEMU BT dongleusb_bt_handle_controlusb_bt_fifo_enqueue
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: %s: vmware_vga: no PCI bus
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: c:/Program Files/Qemu/target-x86_64.conf
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: _qemu: hardware error:
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMURNDIS/QEMU USB Network Device400102030405QEMU USB Net Data InterfaceQEMU USB Net Control InterfaceQEMU USB Net RNDIS Control InterfaceQEMU USB Net CDCQEMU USB Net SubsetQEMU USB Net RNDIS1px`ux`
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: vmware_vga
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: &^br.devbr.dev.exp.aer_logd:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_downstream.c!tmpxio3130-downstreamportchassisslotTI X3130 Downstream Port of PCI Express Switchaer_log_maxxio3130-express-downstream-port
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: R_#R_(R_-R_2R_7R_=R_DR_IR_NR_UR_[R_dp8381x_mmio_writewdp8381x_writewdp8381x_mmio_writebdp8381x_writebdp8381x_mmio_readldp8381x_readlbmcr_readdp8381x_readwanar_readanlpar_readphytst_readdp8381x_mmio_readwdp8381x_mmio_readbdp8381x_readbdp8381x_reseteeprom_initdp8381x_loaddp8381x_savedp8381x_nic_resetdp8381x_mem_mapdp8381x_io_mapdp8381x_ioport_writeldp8381x_ioport_writewdp8381x_ioport_writebdp8381x_ioport_readldp8381x_ioport_readwdp8381x_ioport_readbmacvlannetdevbootindexgpxe-eepro100-80861209.romd:/src/qemu/repo.or.cz/qemu/ar7/hw/eepro100.cmcast_idx < 64addr + sizeof(val) <= sizeof(s->mem)g
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: _could not qemu_fopen socket
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_host.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/intel-hda.creg->offset != 0unknown register, addr 0x%x
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: Yvmware-svgavgabios-vmware.binvmsvga_fifo_runvmsvga_cursor_definevmsvga_update_rectvmsvga_bios_writevmsvga_bios_readDosWindows 3.1Windows 95Windows 98Windows MEWindows NTWindows 2000LinuxOS/2an unknown OSBSDWhistlerWindows 2003
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Net Control Interface
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/sysbus.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/pci.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: qemu: could not load kernel '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu file buffer expansion failed
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_cond_signal
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: fsdevfsdev is not supported by this qemu build.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qdict.c
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\efi32.bin
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: ram size too large
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: vgabios-vmware.bin
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: =Yprocess_ncq_commandich9-ahciahcid:/src/qemu/repo.or.cz/qemu/ar7/hw/lsi53c895a.cs->current->dma_buf == NULLs->current->dma_len == 0QTAILQ_EMPTY(&s->queue)lsi_scsi: error: MSG IN data too long
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-timer.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_init_main_loop failed
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU Virtual CPU version 0.14.50,
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: GQEMU PS/2 Mouseps2mouse0
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qobject_type(obj) == QTYPE_QDICTcurrentCPU%c CPU #%d: pc=0x%016llxhalted (halted)qemupackagemicrominormajor%lld.%lld.%lld%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qed-table.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: unknown boot parameter '%s' in '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: warning: adding a VHCI to an empty scatternet %i
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: _net_client_initsocket: fd=%dqemu: error: specified mcastaddr "%s" (0x%08x) does not contain a multicast address
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Mouse
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: NUUD3.LSTtools/QEMU/bios.bintools/QEMU/efi32.bintools/QEMU/efi64.bintools/QEMU/hd.vmdktools/QEMU/vgabios-stdvga.bintools/uikey.initools/waldrtools/wgl4_boot.ttfdownload/atl71.dlldownload/dl_peer_id.dlldownload/download_engine.dlldownload/MiniThunderPlatform.exedownload/MiniTPFw.exedownload/minizip.dlldownload/msvcp71.dlldownload/msvcr71.dlldownload/ThunderFW.exedownload/XLBugHandler.dlldownload/XLBugReport.exedownload/zlib1.dlltools/bcdedit.exetools/bootice.exetools/bootsect.exetools/fbinst.exetools/GDisk.exetools/oscdimg.exetools/PECMD.exetools/QEMU/libpdcurses.dlltools/QEMU/libssp-0.dlltools/QEMU/libz-1.dlltools/QEMU/QEMU.exetools/QEMU/SDL.dlltools/UltraISO.exexldl.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: could not open gdbserver on device '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-thread-win32.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: show the version of QEMU
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU HARDDISK
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/msi.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/eeprom93xx.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qfloat.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Leakedd:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cluster.ci <= nb_clusters1.2.3%dd:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cache.cc->entries[i].ref == 0c->entries[i].ref >= 0rawd:/src/qemu/repo.or.cz/qemu/ar7/block/qed.cacb->request.l2_table != NULLsizebacking_filebacking_fmtcluster_sizetable_sizeQED cluster size must be within range [%u, %u] and power of 2
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cluster.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB RNDIS Net
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qobject.h
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: bt_device_donebt_dummy_lmp_acl_respbt_dummy_lmp_disconnect_masterbt_dummy_lmp_connection_completeqemu: bluetooth passthrough not supported (yet)
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/libz-1.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_ld8s
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: fsdev is not supported by this qemu build.
Source: FA3TCAsA9E.exe, 00000001.00000003.237494961.00000000095A7000.00000004.00000001.sdmp	Binary or memory string: X/disk@1/disk@0%s@%dNo drive specifiedIDE unit %d is in useInvalid IDE unit %dide-driveunitdriveIDElogical_block_sizephysical_block_sizemin_io_sizeopt_io_sizebootindexdiscard_granularityverseriald:/src/qemu/repo.or.cz/qemu/ar7/hw/ide/pci.hbmdma->unit != (uint8_t)-1,Y\,Yide
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: #^romfilerombarcommand_serr_enableversion_idconfigirq_statenirqirq_countpci configpci irq stated:/src/qemu/repo.or.cz/qemu/ar7/hw/pci_bridge.cQLIST_EMPTY(&s->sec_bus.child)MSI-X: only dword write is allowed!
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: bluetooth passthrough not supported (yet)
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu_ld8u
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: oncemenuoffqemu: invalid option value '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU VVFAT path_len < PATH_MAXmapping->mode & MODE_DELETEDcluster %d used more than once
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/ps2.c
Source: FA3TCAsA9E.exe, 00000001.00000003.238810623.00000000063B6000.00000004.00000001.sdmp	Binary or memory string: tools\QEMU\libpdcurses.dlli
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMU 0.14.5042HID MouseHID TabletHID Keyboard0``
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: keymaps/%s/%s%stcp::1234 (default),trans=lba,trans=nonec:/Program Files/Qemu/qemu.confmedia=diskOption %s not supported for this target
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: isa-serialisa-parallelisa-fdcide-drivevirtio-serial-pcivirtio-serial-s390VGAcirrus-vgavmware-svga
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/vvfat.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: return value mismatch %d != %dd:/src/qemu/repo.or.cz/qemu/ar7/block/blkverify.ca->niov == b->niova->iov[i].iov_len == b->iov[i].iov_lencontents mismatch in sector %lldblkverify:blkverify/dev/cdrom\\.\%c:\\.\//./PhysicalDrive%c:\sizefilehost_device
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: devbusd:/src/qemu/repo.or.cz/qemu/ar7/hw/qdev.cbus->info == info->bus_infobus->allow_hotplugdriver%s/info->size >= sizeof(DeviceState)!info->next?%s.%s=%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/blkverify.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: vga=normalextaskqemu: linux kernel too old to load a ram disk
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: qemu: could not open serial device '%s': %s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: _net client type (nic, tap etc.)vlan numberidentifier for monitor commandsid of -netdev to connect toMAC addressdevice model (e1000, rtl8139, virtio etc.)PCI device addressnumber of MSI-x vectors, 0 to disable MSI-Xhostnameclient hostname reported by the builtin DHCP serverrestrictisolate the guest from the host (y\|yes\|n\|no)iplegacy parameter, use net= insteadIP address and optional netmaskhostguest-visible address of the hosttftproot directory of the built-in TFTP serverbootfileBOOTP filename, for use with tftp=dhcpstartthe first of the 16 IPs the built-in DHCP server can assigndnsguest-visible address of the virtual nameserversmbroot directory of the built-in SMB serversmbserverIP address of the built-in SMB serverhostfwdguest port number to forward incoming TCP or UDP connectionsguestfwdIP address and port to forward guest TCP connectionsifnameinterface namefdfile descriptor of an already opened socketlistenport number, and optional hostname, to listen onconnectport number, and optional hostname, to connect tomcastUDP multicast address and port numberlocaladdrsource address for multicast packetslenper-packet size limit (64k default)filedump file path (default is qemu-vlan0.pcap)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB MouseQEMU USB Tabletusb-tablettabletusb-mousemouseusb-kbdQEMU USB Keyboardkeyboard)
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU/libssp-0.dll
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Network Interface
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ]QEMU 0.14.50QEMU USB SERIALQEMU USB BRAILLE1
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: ,serverserverwaittelnetdelayunix:%s%sporthosttelnet:%s:%s%stcp:%s:%s%sQEMU waiting for connection on: %s
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: ,retrace=dumbpreciseqemu: invalid resolution or depth
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: usb-ohci: %s: qemu_new_timer failed
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU: Terminated via GDBstub
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block-migration.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_event_increment: SetEvent failed: %ld
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Keyboard
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: 32 32 3 1X c #000000. c #ffffff c NoneX XX X.X X..X X...X X....X X.....X X......X X.......X X........X X.....XXXXX X..X..X X.X X..X XX X..X X X..X X..X X..X XX cursor_parse_xpm32 32 1 1d:/src/qemu/repo.or.cz/qemu/ar7/qemu-error.c!loc->prevcur_loc == loc && loc->prevfname \|\| cur_loc->kind == LOC_FILE %s:%s%s: %d:%s
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/exec.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: error %i writing bluetooth packet.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-cache.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: apicidcpu_envbios.binpc.rampc.biosqemu: could not load PC BIOS '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: debugcondeviceqemu: already have a debugcon device
Source: FA3TCAsA9E.exe, 00000001.00000003.238824290.00000000063A4000.00000004.00000040.sdmp	Binary or memory string: tools/QEMU
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-error.c
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: linuxboot.bind:/src/qemu/repo.or.cz/qemu/ar7/hw/pc.csmm_set == NULLsmm_arg == NULLne2k_isaiobaseirqqemu64Unable to find x86 CPU definition
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: virtfsvirtfs is not supported by this qemu build.
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/net/dump.cvlanfileqemu-vlan%d.pcaplen-net dump: can't open %s-net dump write error: %sdumpdump to %s (len=%d)%sSYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}%s\%s\ConnectionSYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}%s\%serror creating output queue semaphore!
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: qemu: linux kernel too old to load a ram disk
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU (%s)
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: activate logging of the specified items to '/tmp/qemu.log'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU USB Tablet
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: driveramqemu: could not open gdbserver on device '%s'
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/eeprom93xx.c!"Unsupported EEPROM size, fallback to 64 words!"eeprom
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: QEMU 0.14.50
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block-migration.cblock_mig_state.submitted >= 0block_mig_state.read_done >= 0Error reading sector %lld
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qlist.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu: error: specified mcastaddr "%s" (0x%08x) does not contain a multicast address
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/console.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/qemu-thread-win32.cmutex->owner == 0mutex->owner == GetCurrentThreadId()qemu_thread_initqemu_thread_createqemu_cond_broadcastqemu_cond_signalqemu_cond_destroyqemu_cond_initd:/src/qemu/repo.or.cz/qemu/ar7/hw/event_notifier.cs == sizeof(value)Failed to initialize win32 alarm timer: %ld
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_cond_broadcast
Source: FA3TCAsA9E.exe, 00000001.00000003.237438344.0000000009590000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/hw/xio3130_downstream.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: Bochs Virtual HD Image
Source: FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp	Binary or memory string: pc.romvmware-svgaWarning: vmware_vga not available, using standard VGA instead
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: d:/src/qemu/repo.or.cz/qemu/ar7/block/qcow2-refcount.c
Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	Binary or memory string: qemu_fdopen: Argument validity check failed

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\FA3TCAsA9E.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality:

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp

String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Path Interception	Masquerading11	OS Credential Dumping	Security Software Discovery231	Remote Desktop Protocol1	Archive Collected Data1	Exfiltration Over Other Network Medium	Remote Access Software1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery123	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FA3TCAsA9E.exe	19%	Virustotal		Browse
FA3TCAsA9E.exe	11%	Metadefender		Browse
FA3TCAsA9E.exe	17%	ReversingLabs	Win32.Trojan.Fsysna

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\PECMD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\400u50BLNB\7z.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniTPFw.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniTPFw.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniThunderPlatform.exe	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniThunderPlatform.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\ThunderFW.exe	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugHandler.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugHandler.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugReport.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugReport.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\atl71.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\dl_peer_id.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\download_engine.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\minizip.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\minizip.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcp71.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcp71.dll	3%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.3.FA3TCAsA9E.exe.8de70fc.1.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.libsdl.orgsdl_callbackSAMPLESSize	0%	Avira URL Cloud	safe
http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=1	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.gamers.org/~quinet/lilo/).	0%	Avira URL Cloud	safe
http://www.ezbsystems.comDVarFileInfo$	0%	Avira URL Cloud	safe
http://jsy.newitboy.com/wllinfo/newoemjsy/oemtianm.txt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jsy.newitboy.com	112.126.77.190	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://jsy.newitboy.com/wllinfo/newoemjsy/oemtianm.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.winimage.com/zLibDll1.2.3	FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	false		high
http://www.xunlei.com/	FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	false		high
http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s&	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://www.libsdl.orgsdl_callbackSAMPLESSize	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://bbs.wuyou.com/forum.php?mod=viewthread&tid=203313&extra=&page=1	iwll.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://www.libsdl.org	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	false		high
http://www.xunlei.com/GET	FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	false		high
http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://ocsp.thawte.com0	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diskgenius.cn	iwll.dat.1.dr	false		high
http://bellard.org/qemu/user-doc.html	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	false		high
http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%sr	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://upx.sf.net	iwll.dat.1.dr	false		high
http://store.paycenter.uc.cnmail-attachment.googleusercontent.com	FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp	false		high
http://www.symantec.com	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://grub4dos.chenall.net	iwll.dat.1.dr	false		high
https://curl.haxx.se/docs/http-cookies.html	FA3TCAsA9E.exe	false		high
http://www.openssl.org/support/faq.html	FA3TCAsA9E.exe	false		high
http://www.gamers.org/~quinet/lilo/).	iwll.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://shsucdx.adoxa.cjb.net/	iwll.dat.1.dr	false		high
http://bellard.org/qemu/user-doc.htmlQEMU	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://www.ezbsystems.comDVarFileInfo$	FA3TCAsA9E.exe, 00000001.00000003.237511429.0000000009600000.00000004.00000001.sdmp, UltraISO.exe.1.dr	false	Avira URL Cloud: safe	low
http://www.xunlei.com/no-cache	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://www.winimage.com/zLibDll-	FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, MiniTPFw.exe.1.dr	false		high
http://ipxe.org/wimboot	iwll.dat.1.dr	false		high
http://www.openssl.org/support/faq.html....................	FA3TCAsA9E.exe, 00000001.00000003.232601868.0000000008AA0000.00000004.00000001.sdmp	false		high
http://store.paycenter.uc.cn	FA3TCAsA9E.exe, 00000001.00000003.233327613.0000000008DE5000.00000004.00000001.sdmp	false		high
http://grub4dos.chenall.net/e/%u)	iwll.dat.1.dr	false		high
http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%s	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high
http://www.winimage.com/zLibDll	FA3TCAsA9E.exe, 00000001.00000003.233413185.0000000008E1B000.00000004.00000001.sdmp	false		high
http://freedos.sourceforge.net/freecom	iwll.dat.1.dr	false		high
http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%sHTTP://http://	FA3TCAsA9E.exe, 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
112.126.77.190	jsy.newitboy.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	439916
Start date:	24.06.2021
Start time:	15:28:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FA3TCAsA9E (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/59@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 104.42.151.234, 23.211.6.115, 13.88.21.125, 23.211.4.86, 20.82.209.183, 173.222.108.210, 173.222.108.226, 51.103.5.186, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	2qPnTEJ3ZZ.exe	Get hash	malicious	Browse	123.56.15.95
	AUg4zbbjo6.exe	Get hash	malicious	Browse	116.62.163.137
	nt2WhgY3ok.exe	Get hash	malicious	Browse	123.56.15.95
	vVf4lZnfz2.exe	Get hash	malicious	Browse	120.77.146.229
	wYkNG4oa7k.exe	Get hash	malicious	Browse	47.107.79.90
	xwKdahKPn8.exe	Get hash	malicious	Browse	101.200.0.178
	Img-347654566091235.exe	Get hash	malicious	Browse	39.100.255.129
	Advised PO_PSLP20201201LASPRX36214.exe	Get hash	malicious	Browse	118.178.133.97
	6tUeDaZpGW	Get hash	malicious	Browse	203.119.169.43
	6tUeDaZpGW	Get hash	malicious	Browse	203.119.169.43
	svmm.exe	Get hash	malicious	Browse	39.98.110.234
	AdobeAcrobatProDC2021.005.20048#U4e2d#U6587#U76f4#U88c5#U7834#U89e3#U7248@2223_16081.exe	Get hash	malicious	Browse	47.102.38.15
	UM6rAJhKEq.exe	Get hash	malicious	Browse	47.117.70.170
	mAGs0IsoB7.exe	Get hash	malicious	Browse	47.117.70.170
	KuMTnLOuSZ.exe	Get hash	malicious	Browse	47.117.70.170
	o5ZGIQwDed.exe	Get hash	malicious	Browse	47.117.70.170
	UM6rAJhKEq.exe	Get hash	malicious	Browse	106.15.48.27
	mAGs0IsoB7.exe	Get hash	malicious	Browse	106.15.48.27
	IJ9cCBb4Tv.exe	Get hash	malicious	Browse	106.15.48.27
	KuMTnLOuSZ.exe	Get hash	malicious	Browse	106.15.48.27

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniThunderPlatform.exe	fNbViAxRGL.exe	Get hash	malicious	Browse
	dXaqC8H6qX.exe	Get hash	malicious	Browse
	SecuriteInfo.com.LresultFromObject.32334.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\7z.dll	fNbViAxRGL.exe	Get hash	malicious	Browse
	dXaqC8H6qX.exe	Get hash	malicious	Browse
	WinRAR4.01.exe	Get hash	malicious	Browse
	http://www.edi-texteditor.com/EdiSetup.exe	Get hash	malicious	Browse
	WinThrusterSetup_1.16.7.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniTPFw.exe	fNbViAxRGL.exe	Get hash	malicious	Browse
	dXaqC8H6qX.exe	Get hash	malicious	Browse
	SecuriteInfo.com.LresultFromObject.32334.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\oemtianm[1].txt Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	88984
Entropy (8bit):	4.104695690505801
Encrypted:	false
SSDEEP:	768:Ijx86tU4Xbr2tKeE0zjRjehpb7TseNrenMKSqL:IjxU4ZeE0zjRjehpbkegnMKSqL
MD5:	0DBFA1F8E45E3F969DFE910CE01E41DC
SHA1:	70AAD86B89E372E94600989EA28B0C2FAD073456
SHA-256:	EF2244C246A85D406CC28ECE5F6538B7A35593A7222903431BADB07619F2B175
SHA-512:	0B5FB2600C7A58D02B555F7E202FDFEA54EB83FCA21378CAF976945D2357F9DF6D59195B782ECFD0BEA7CE1A8BEBC0DD67CC0A7C7A493F9174CBEC401AFA3965
Malicious:	false
Reputation:	low
IE Cache URL:	http://jsy.newitboy.com/wllinfo/newoemjsy/oemtianm.txt
Preview:	84A4733C975E9B.[A1845D33950ECC09166992AD0204].BA9E5E369E=725CE1832C8F47C5757ACEAC5A168737825C61BF2CF4AD364626402CE8.A7994E3F83=FF.A89E463F955E915A=B99E446BCB09C80D127B92E70018D0748E.BB8448399A4B9A534374=FF.A184482F925398=B99E446BCB.A1844B289857=F8C3.AD965E=B49D.BC924C3F895A925C47=750EF980B66CB8719BCA1720DAD004B939ABFA26CEFCC1164D58236BBABEA452B6BA3BB3C0782B5A00307668A03E3B85E426D2CDF3328B8660945BE3.BC965E3F=FB.A3931F=FCC31319B907C408155795AE2B748243DE5704B82D7923D3DAB7CCA8387422D5.B89258339D46=FF.A29E4431884B8E=FDC11A6B87508C0E5E72D9AC164ED836.B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CEDAB6C6D66C0A4ECF097DE830788ED7A386AB6AE9377E228667DE4E19499F725BEA5E88378DE5D378FFF21832BB.B69A1B058F468C5A=FE.A1871B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF03659798CC19598E5682578850D3EF33367CE96BD84A96AEF683862C67EDD575E0F862A05ED5ACE768FF5922BFCEA4D6FBA3ECF.A1871B058F468C5A=FE.AF8E1B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF03659798CC19598E5682578850D3EF33367CE96BD84A

C:\Users\user\AppData\Local\Temp\400u50BLNB\7z.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174080
Entropy (8bit):	6.279217790646268
Encrypted:	false
SSDEEP:	3072:xyljBP/VZjAISqyTFjoZAO1h7BTF1rJa//diUTTBXJxO8hlIhb0:xeBnVZ8w4toZAcLrJa/liSVHU
MD5:	31CAD6A3EDD1C32981AD6B565CBEAC94
SHA1:	9338978C85A9423EE2A38CBA027F79192D684F1B
SHA-256:	B8521ABDA09EC17DDAD36528C1BC50395DC8C5F7C11C026A5B3FF23110C54182
SHA-512:	02E198B8EF192DE55DB35AE00A16A80B3309A9373A596C20D617B43DD7159A635BC303F371859E704375521A1242D02754807E2E9DFEF63FFD06993B24C17D3D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fNbViAxRGL.exe, Detection: malicious, Browse Filename: dXaqC8H6qX.exe, Detection: malicious, Browse Filename: WinRAR4.01.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: WinThrusterSetup_1.16.7.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..P....................6...>..............._...........6...P...o.^.....o.j....................Rich............................PE..L....S.L...........!........................................................@.......................................@.......9..P...............................@.......................................................,............................text............................... ..`.rdata...@.......B..................@..@.data.......P...4...4..............@....sxdata..............h..............@....rsrc................j..............@..@.reloc...%.......&..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniTPFw.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59848
Entropy (8bit):	6.4580836109066695
Encrypted:	false
SSDEEP:	768:BSODywYihzSrVPdQsNruuGYOLO3NNkFlBi1jSZIfjeGdJARt03juFGu:BSKywYDdQsQuG5L27Ui1SPRt0qf
MD5:	58BB62E88687791AD2EA5D8D6E3FE18B
SHA1:	0FFB029064741D10C9CF3F629202AA97167883DE
SHA-256:	F02FA7DDAB2593492B9B68E3F485E59EB755380A9235F6269705F6D219DFF100
SHA-512:	CD36B28F87BE9CF718F0C44BF7C500D53186EDC08889BCFA5222041FF31C5CBEE509B186004480EFBD99C36B2233182AE0969447F4051510E1771A73ED209DA5
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fNbViAxRGL.exe, Detection: malicious, Browse Filename: dXaqC8H6qX.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.LresultFromObject.32334.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........."..q..q..q.#q..q.5q..q..q..q...q..q.2q..q."q..q.'q..qRich..q................PE..L.....R.....................@.......,............@.................................?..........................................P...................................0...............................h...@............................................text.............................. ..`.rdata..........,..................@..@.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398038838886799
Encrypted:	false
SSDEEP:	6144:IPH9aqri3YL1Avg3NloWPxFL8gL2MaVtvT0e9d:IP4qri3YL1Avg3NloWPTHL2fkQ
MD5:	0C8F2B0EE5BF990C6541025E94985C9F
SHA1:	BE942F5FEF752B0070BA97998BFE763B96529AA2
SHA-256:	12D6CC86FDC69E1AA8D94D38715BBE271994C0F86F85283FA2190DA7C322F4C8
SHA-512:	7B0E81149FAFA88050A125155732057190D8F93E8D62CB05A68DA9CF24E30228F14D0FFD888C0362BFFD5872E970200098E75572B2819ABEEA10022AB1A264F6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: fNbViAxRGL.exe, Detection: malicious, Browse Filename: dXaqC8H6qX.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.LresultFromObject.32334.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L......S..........................................@..........................`.......................................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\ThunderFW.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugHandler.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	100808
Entropy (8bit):	4.766413363865024
Encrypted:	false
SSDEEP:	768:ptC/WRVyC4jjurmOgxhQgVQfWDwI8JefPffPbrwehZ/kUZ7lzajun:ptC/WG2Kq8wIwef3Z/7Z7Bvn
MD5:	92154E720998ACB6FA0F7BAD63309470
SHA1:	385817793B9F894CA3DD3BAC20B269652DF6CBC6
SHA-256:	1845DF41DA539BCA264F59365BF7453B686B9098CC94CD0E2B9A20C74A561096
SHA-512:	37BA81F338AF7DE7EF2AC6BCF67B3AEC96F9B748830EE3C0B152029871F7701E917B94A6B51ACD7BE6F8F02AEA2B25F3B14CED1A218BF4868AF04F5207BB5FFF
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D............C......u......%......w......J......Q......+......J......v....{.t......p....Rich..*.................PE..L....+.Q...........!................8........................................@......y...................................V............................p....... ..........................................@...........`................................text............................... ..`.rdata...8.......@..................@..@.data...............................@....idata...".......0..................@....rsrc................@..............@..@.reloc..b.... ... ...P..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\XLBugReport.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	248264
Entropy (8bit):	6.6466971830965855
Encrypted:	false
SSDEEP:	3072:XMdUQGp4lA6Ce3PVd0zA+NzWfhYxMyIxZ2D6YmxX7hNKQ+Gr3:Xl4lrHdcFzWJYxMVZ2D6YmxXdL+63
MD5:	67C767470D0893C4A2E46BE84C9AFCBB
SHA1:	00291089B13A93F82EE49A11156521F13EA605CD
SHA-256:	64F8D68CC1CFC5B9CC182DF3BECF704AF93D0F1CC93EE59DBF682C75B6D4FFC0
SHA-512:	D5D3A96DEC616B0AB0CD0586FA0CC5A10BA662E0D5E4DE4D849AC62CA5D60EC133F54D109D1D130B5F99AE73E7ABFB284EC7D5BA55DCA1A4F354C6AF73C00E35
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.U.U...U...U...]...U...Y...U...Y...U...Y...U...Y...U..<B...U.......U...U..2T..<B...U..^^...U..<B...U..Rich.U..........PE..L....+.Q.....................0.......t............@.............................................................................,....P.. c..........................@...............................8...@...............8............................text...pv.......................... ..`.rdata..............................@..@.data........0.......0..............@....rsrc... c...P...p...@..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\atl71.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\dl_peer_id.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\download_engine.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\id.dat Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.237326145256008
Encrypted:	false
SSDEEP:	3:q13EMVYqayn:q1bVSy
MD5:	0BE78C38021ED1585770F4709C75958B
SHA1:	E9E3096E7CECDEADD5E69D714F0BB8FF2191521E
SHA-256:	D8C1F72B74BF08838080118C897B8FD50046EDF036A045813BB9CC082DBF4A5D
SHA-512:	38DA85702B15CB2020129C2DD88DB8FFD6EC46D7C5D8C3A35717A9F186A83DE71E90827E5C943972F211B0CD2A4B6366260D3C525591150F1237D979578C4D19
Malicious:	false
Preview:	[partner]..id=80000211..ver = 3.2.1.40..

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\minizip.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19968
Entropy (8bit):	5.994668230170749
Encrypted:	false
SSDEEP:	384:mR8uMPJWrR/CZoG4T/ibcIBLLz0IINleTW4l1J0G:duMhWD1GbcIBLLXINyN0
MD5:	7FD4F79ACA0B09FD3A60841A47CA96E7
SHA1:	6A84B131399D207BF00605D33F938617B1A7C391
SHA-256:	FC10C877E2BCFAB35758446A72A8DB704D8E8455470D65A6DE5492C10C8D6786
SHA-512:	D3933D77C61B6D38546AC9D38C7975F9575EB25AC8673DA18D6707669676612EA0BE0A673633AD703EC4FE9B30A37D63DD21F33EE782FA3CF984046E483069F7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A..,............................................................?..............................Rich...........PE..L...1..M...........!.....4...........@.......P.......................................................................W.......R..P....p...............................P..............................(R..@............P...............................text....3.......4.................. ..`.rdata.......P.......8..............@..@.data...H....`.......D..............@....rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcp71.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\msvcr71.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\download\zlib1.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\jsy39FE.tmp Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	88984
Entropy (8bit):	4.104695690505801
Encrypted:	false
SSDEEP:	768:Ijx86tU4Xbr2tKeE0zjRjehpb7TseNrenMKSqL:IjxU4ZeE0zjRjehpbkegnMKSqL
MD5:	0DBFA1F8E45E3F969DFE910CE01E41DC
SHA1:	70AAD86B89E372E94600989EA28B0C2FAD073456
SHA-256:	EF2244C246A85D406CC28ECE5F6538B7A35593A7222903431BADB07619F2B175
SHA-512:	0B5FB2600C7A58D02B555F7E202FDFEA54EB83FCA21378CAF976945D2357F9DF6D59195B782ECFD0BEA7CE1A8BEBC0DD67CC0A7C7A493F9174CBEC401AFA3965
Malicious:	false
Preview:	84A4733C975E9B.[A1845D33950ECC09166992AD0204].BA9E5E369E=725CE1832C8F47C5757ACEAC5A168737825C61BF2CF4AD364626402CE8.A7994E3F83=FF.A89E463F955E915A=B99E446BCB09C80D127B92E70018D0748E.BB8448399A4B9A534374=FF.A184482F925398=B99E446BCB.A1844B289857=F8C3.AD965E=B49D.BC924C3F895A925C47=750EF980B66CB8719BCA1720DAD004B939ABFA26CEFCC1164D58236BBABEA452B6BA3BB3C0782B5A00307668A03E3B85E426D2CDF3328B8660945BE3.BC965E3F=FB.A3931F=FCC31319B907C408155795AE2B748243DE5704B82D7923D3DAB7CCA8387422D5.B89258339D46=FF.A29E4431884B8E=FDC11A6B87508C0E5E72D9AC164ED836.B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CEDAB6C6D66C0A4ECF097DE830788ED7A386AB6AE9377E228667DE4E19499F725BEA5E88378DE5D378FFF21832BB.B69A1B058F468C5A=FE.A1871B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF03659798CC19598E5682578850D3EF33367CE96BD84A96AEF683862C67EDD575E0F862A05ED5ACE768FF5922BFCEA4D6FBA3ECF.A1871B058F468C5A=FE.AF8E1B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF03659798CC19598E5682578850D3EF33367CE96BD84A

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\10BCD Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.1224557470920553
Encrypted:	false
SSDEEP:	48:MfgUWZnyLAvAeJodTmBzQu0rM5b6zerOYV+8imaFwejGjTf4Bt6Bw0JgSwj2:MfjqSAvHOdu0uB9prj96Of4Bt2wsBwj
MD5:	184C03F85CE04B9D0D459DD03D42694C
SHA1:	A3B80C07A779BD07CCA391E7D93F56A936A6F202
SHA-256:	C43628AD3EEE29C3033BF55836D0433CE61E49FF94234603243D55B638675ECF
SHA-512:	A326D28E8D90BC1F7F4E44AA3E734A44A7E4817C9272237805C0C7493FBF79F95E11E57F0C2B76527A1981BCE2BDF375A63A534104FAB43F01C050821910546C
Malicious:	false
Preview:	regf........Z.ZU.................... .... ......)Y.U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.1.0.B.C.D...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................=..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\10efibcd Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.200459736015304
Encrypted:	false
SSDEEP:	48:QfQlWgEWZALGleJodTmgzNBO0Zl9bzbeGtAU3r8WISeVlqCGO8tx4tEMuSsp4BoF:8QwjPGwOdjPO6eG22IFIx4iZ6YfP+
MD5:	5E7C52B4E33E83320813294C40D2B0C1
SHA1:	EC3DBBFFF3C71D94A2F8F368909F4EEFAE1936E4
SHA-256:	F64FC9D5484AB2B4177BF50A90AEF2ABF5A79118E7C0B7B4D8D8247625C78968
SHA-512:	9E081224A627D0D09107FC624D8C97092929C966A165C00C0FC77C95415BD518F5099559104AAD11BB4328D9A2DF878777B4E78EF0FB71090688604DA5A8A698
Malicious:	false
Preview:	regf'...'.....u[.................... .... .........:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.1.0.e.f.i.b.c.d...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................V..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\7bcd Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.1193517831554605
Encrypted:	false
SSDEEP:	48:b/6gpXWZ5LieJodTmPzQ5Lyrob4zernRYt18imlRejGtZTzbGdaGgGc2:b/6kXm1OdY05LzjrnC4eOzbCaG6
MD5:	37415249649BD95C605868942CAA153C
SHA1:	26662DFE3760D8749064894850380DFC8DA146EE
SHA-256:	13BFDEAA701A7B091AAABE01953E2FAE4532BC05AECC847FED62A1F65EAB36B8
SHA-512:	E15C940BE35C757082E3D1DEAA715F1CC31819DF6423F05910E671EF5B59A1B11DCE0E56B7214ED2430BF080381F69459BAEC11F77049B5CB9C12923A0A0EEF7
Malicious:	false
Preview:	regf,...,...I..`.................... .... ......\.)Y.U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.7.b.c.d...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm....................................................................................................................................................................................................................................................................................................................................................<...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\832BCD Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.118192368682145
Encrypted:	false
SSDEEP:	48:L0gWg3+WZnyLOeJodTmBzQnA0rM5b6zerOYV+8imazXejGjTvbSaPw0JgSwj2:gvNqSJOdu0AB9prj9FOvGowsBwj
MD5:	C25FF42C7D7342FEA698EBD442585966
SHA1:	0F8BEFB6F2AAFB56C91F47B7F5436452526A5165
SHA-256:	C57EFD6352BB7AE2EC2325D1CF13B0B6A74AAFBA22D0257353CBC7F8F9553C3B
SHA-512:	278D7CAB219D7248A49FC7E52C6904B88C83F2018B923D6B6C275F854A5AD22BB6FAD86BE4B5B66DE78AC560F6FF5A6F092628DE1500E90CEA03BF6D45911DD4
Malicious:	false
Preview:	regf........}.-s.................... .... .......U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.8.3.2.B.C.D...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm....................................................................................................................................................................................................................................................................................................................................................g...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\8BCD Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.1168213664815543
Encrypted:	false
SSDEEP:	48:0TYgXWZnyL1eJodTmBzQ10rM5b6zerOYV+8imaWejGjT9aJG8Vw0JgSwj2:0TYcqSgOdu01B9prj9SO9aJDVwsBwj
MD5:	9CCD1B8ACD478D288E000E9FC16B5607
SHA1:	65FE1D6622063A0F400AC2E64E303DEEAC747AB5
SHA-256:	357BC98D426EDA49CECFBB4155E69B18DF6DA8BF40D3DD5AD941FBC4FAA903C6
SHA-512:	A985591C4A2764F23603848E0C78BC493C36D435714AC781E06A3C0ABFAB529E31F7BA33A28C46B7EF57FDD86550D5E128BA72EAB2D3D6262426E3D9A3A8E7AA
Malicious:	false
Preview:	regf1...1....Y&d.................... .... ......\.)Y.U.N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.8.B.C.D...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\8efibcd Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.197658781862235
Encrypted:	false
SSDEEP:	48:9Sg5WZALMeJodTmgzNBU0Zl9bzbeGtAU3r8WIVeVlqCGO8tqqwEM08wp4BorisPh:9SOP7OdjPU6eG22IAIqq0+6YfP+
MD5:	EC7EC2E1F14E61302CF416EE598DAD21
SHA1:	4E7F79A7300FF6B9E4DE1CE4C2A6127E222B9BD0
SHA-256:	588E1C488835820CB4CD560C41B2D3BF386B2083ED02688E818AAFA206316E16
SHA-512:	F700608A73A2BDB37B63E80CBD3F23E36B2BC19D56BE29FB8A5274150720A7C1E3CD5769A66CBC494DD560F59CBEB9E581936C83A98FDFC1634E975B27F302C4
Malicious:	false
Preview:	regf'...'...r..i.................... .... .......N...:gGl;`\.D..n.N.]wQ\.d.a.t.1.\.t.o.o.l.s.\.8.e.f.i.b.c.d...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm....................................................................................................................................................................................................................................................................................................................................................~K..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\Etfsboot.com Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.049931330854999
Encrypted:	false
SSDEEP:	48:LW9r0eIvMCkR4EgY7T2RZ6HxVouNjn3pigTBQt:6gFv2X7H2RZUxtNzpvBQt
MD5:	D4BEFEBF3CEF129AC087422B9E912788
SHA1:	62313EC73F381C052F2513CA6279CFB5107E98C0
SHA-256:	F425E135AAC26B55E2BAC655E62E2CE0B16255226C583D9AB43B2E93E8A6D932
SHA-512:	3814E4682CAD2EF40061D3D5E8142C964CC73A6C6DFC72BA59CBAB0922DD0C7E279703450E3A1F4FCFDE3498565BF6EF28A30E7DE53A0EDA75B3FEA76D03929B
Malicious:	false
Preview:	.3....\|....R....$.<.t..........^..!.t....\|..}...=.......E.....=..u........4....ry....5......=U.uiZ.....F.h..j.h. ...r.`.......... ..ah..j.h. ...s.h..j.h. ...r2....3.h. P.V......1.....V......2.....j......j.......^.....t..............$...3.... .&......&.G.....&.7&..t.&.O........u...3.... .....&......&.G....... .....3........T.. ....................s........\|..........t..................CDBOOT: Cannot boot from CD - Code: 3...CDBOOT: Couldn't find BOOTMGR...CDBOOT: Memory overflow error..............3.3.6..&.....t5...!...Q3.....Yth;.s4+.>...t......Q....Y..........A...............&.>...u.........SQ....Y.....[...+.t.J...+...y....Q3.&.O .>...t.&.G..u.*.t....u.....t.Y.l.&.G..t.:.u.Y..U..SVRP.......G...G...G....G....G....F.....F.....F.....F.....F.....>....u..>.. ........................... .....G.....G.....G.....G.....B.......>...u(.... ...........s.j.....b..... ........XZ^[..].U..QSP....................t.......PS.v..6...6........X[Y..].P&.G....&.G....&.G....&.G....X.

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\GDisk.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3003784
Entropy (8bit):	6.59347578617477
Encrypted:	false
SSDEEP:	49152:uHGL3aOOFvhi7F216g4/t+MakIr0Od3PvGOo41/tOE8B/L:uYK/sF2163+kdE/vG/
MD5:	85C7CC9760EB03C9657CFD3880603A7C
SHA1:	335392BD7308303C3129B9DAF32A3264F5167355
SHA-256:	9EDF492513105F44D5E5EC53F2A300E5875733FCECE887FC414653AE72FA1583
SHA-512:	A4B2BDF78F2448AC39640AD0997A38EF1ABF10321065E0A5C4AA46EA493DEAC0B9DA5107F7365FBB320542DA81E47798BF7F839D3E2318F0FCA0028082693215
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.J...$...$...$..Z...$.3.V.D.$.3.Y.>.$.3.I...$.3._...$...%...$.3.J..$.3.X...$.3.\...$.Rich..$.................PE..L.....\|L..................".........y........."...@...................................-......................................>.........X.............-..............."..............................................."......>.@....................text....."......."................. ..`.rdata.......".......".............@..@.data....8...`..@...`.............@....mixcrt...............-.............@....rsrc...X.............-.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\MENU.LST Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1187
Entropy (8bit):	6.141847914712622
Encrypted:	false
SSDEEP:	24:YLldnoSDWDsDmLSNSWFvpkSx1w8XS8fXXe2N6OjtYcqTwryUOS+HjHOOJ:YAMKS3vyp8XRfXfNRNj+HjHOu
MD5:	AD7F7B93DDC2E23432907078CA997D96
SHA1:	CA8BA885687526C149A8B1CCBAB172599D9D62F4
SHA-256:	AF1091A753FB34D37896774AF38FDD83BEBF80FC977430CC578F6A2B0F72FFD0
SHA-512:	214FDB90474692C15194117F5D57A60714DA5972F3B6374FB9E174FD80EA3075730CE843947D12B32FBA564A04C6D65B6AC15E3DD88B3F3B7800EF2B2B2CC5C6
Malicious:	false
Preview:	.timeout 10..default 0..gfxmenu /BOOT/GRUB/MESSAGE..title .01. .......PE(....)..echo $[1106] Loading WINPE, Please Wait .....find --set-root /boot/bootmhr && chainloader /boot/bootmhr..title .02. ..win7...PE(....)..echo $[1106] Loading WIN7PE, Please Wait .....find --set-root /boot/bootm7r && chainloader /boot/bootm7r..title .03. ....Ghost........RUN --mem /BOOT/IMGS/GHOST.IMG..title .04. ..Disk Genius......RUN /BOOT/IMGS/DGDOS.IMG..title .05. ..Memtest5.0......RUN /BOOT/IMGS/MT501.IMG..title .06. ..Windows....(....)..RUN --mem /BOOT/IMGS/PASSWORD.IMG..title .07. ===.........===..set /a bn=%bn%+1..if "%bn%"=="1" && command /BOOT/GRUB/BOOTHARD..set sw=No..map --unmap=0xfe..checkrange 0x80 read 0x8280 && if exist (hd0)/fb.cfg && set sw=yes..checkrange 0x23 read 0x8280 && if not exist (fd0)/fb.cfg && set sw=yes..set /a hdn=*0x475&0xff..if

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\MENUUD3.LST Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1375
Entropy (8bit):	6.209653149925306
Encrypted:	false
SSDEEP:	24:YLldnxcwsn6bSDWJDmLvBnpDm7bNSWTkSH1w8lS8xXXe2N6OjtYcqTwryUOS+Hjl:YZcEbKvBnJsyf8lRxXfNRNj+HjHOu
MD5:	E4EF3F0BACE0EB789FDAE537020BF53A
SHA1:	60A12180A085B398E83DBA72BFA27770997FB510
SHA-256:	52769837BA9C757B17AF16812E28E8469A88BDFDFBF454C762299A4256793D63
SHA-512:	16D5A4DF1415ED64350DA33E2DAB4DEC1ECE3E6EB7F3D3866202E6447A604C20B80D39FE3C0CD0E677D2355884A60F04594F7B3FBDFD7BB13750668C911175A2
Malicious:	false
Preview:	.timeout 10..default 0..gfxmenu /BOOT/GRUB/MESSAGE..title .01. .......PE(....)..fallback +1..SISO RUN /BOOT/jsyhx64.ISO..title .02. .......PE(....)..echo $[1106] Loading WINPE, Please Wait .....find --set-root /boot/bootmhr && chainloader /boot/bootmhr..title .03. ..win7...PE(....)..fallback +1..SISO RUN /BOOT/jsy7x86.ISO..title .04. ..win7...PE(....)..echo $[1106] Loading WIN7PE, Please Wait .....find --set-root /boot/bootm7r && chainloader /boot/bootm7r..title .05. ....Ghost........RUN --mem /BOOT/IMGS/GHOST.IMG..title .06. ..Disk Genius......RUN /BOOT/IMGS/DGDOS.IMG..title .07. ..Memtest5.0......RUN /BOOT/IMGS/MT501.IMG..title .08. ..Windows....(....)..RUN --mem /BOOT/IMGS/PASSWORD.IMG..title .09. ===.........===..set /a bn=%bn%+1..if "%bn%"=="1" && command /BOOT/GRUB/BOOTHARD..set sw=N

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\PECMD.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	593408
Entropy (8bit):	7.904336665472972
Encrypted:	false
SSDEEP:	12288:xQeXdsg8DQ0GMb6hrU3b8W7mtMW3oqcANTQqo7PCeZ:xNsbwgb57KcANcqCqk
MD5:	C7B6EF1EC6D397433962F1D1A5586F0F
SHA1:	37662513075EAAC1A02E4471CC6574553959FE2A
SHA-256:	E0A4111A340E437091A5F12425B907954E4ECCBA9BEC26839F29E732DA9239D1
SHA-512:	DC62D0A8C928B50FD48E03C63F49E7C8F0BA8FCBE9C151666C69366ECD16587831BE444747A089F1CD7E54D3704D2EE69DB2E621CB8E6C545FA67BE14C72AC4A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L.....6U.................(...........r.......@....@..............................................p...................p.......p..........Dr...........................................................................q..@............................MPRESS1.`...............................MPRESS2E....p...........................rsrc...Dr.......t..................@..............................................................................v2.19..O... ..*....N.......o...U...I.\......RG?..L.....Z.....F...<.....4OQH.o..c......;.....H)@T ......e...q.. ..E!..Hr..;;}lJh..j..n.Z....,...U1..5e.."7y.P.\....i....ZB.5.61......h.........R... .......z....XO.B0..8.`.o..Y..!).G..6]y.....w3.,.\)..1.? ...Q...{.p..G....K..!vZx.]...J.....fY.j... .......H.p..go#../..AU.+.....\|.o...nL;..Y....Y.).(.jC..G]-S.........]X.....5hI....e.UyI.q.....}.....#S}.[...P....f.u..c.\.-.....v.x!.S...@.#.!..Uwt..I..hK.......

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\QEMU.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2919438
Entropy (8bit):	5.756132556740688
Encrypted:	false
SSDEEP:	49152:K3EBHvdtoMWKcEdmcMK6C1f7th36PKy/mxNpY2GUs+6mcjM:K3EBXoMhcEdmcMK6CBth3emx7Y2GUf6M
MD5:	0BC0128ADC469C94F9830F52776DE861
SHA1:	DF71DE8D4152B894C9D2B3FDF6A1DEFED31B6DAA
SHA-256:	AE5A298E6EE113B97425BC3E2C23C0CAF90F367E8A1F25EC0272DEEB7DD9A485
SHA-512:	99D8C44F62FE1B8F06FD5E5B319DBD660A898D16B00A8AD7AEC6697E11EF63A729161C9114A70084DEAB1A41E44B130B0290665CBE7D95DA4341C7792909CCBC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}M..,...................,...a.`.............@.................................nN-...@... .............................. ...#...p..p....................................................`......................H&..X............................text...............................`.P`.data...\|9.......:..................@.`..rdata..$...........................@.`@/4......p....p,......P,.............@.0..bss....T.a...,.......................`..idata...#... ...$...R,.............@.0..CRT.........P.......v,.............@.0..tls.... ....`.......x,.............@.0..rsrc...p....p.......z,.............@.0.........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\SDL.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	324096
Entropy (8bit):	6.678894765303499
Encrypted:	false
SSDEEP:	6144:bZznUL/y6igDAqMCJDrAEsVuu0mhoP3Y14oWADKmzAB4wdi6:bZznUTy6igDAqMCJDrAEsVuu0mqPIs7
MD5:	67ACD10F873A6F1997B17E629E1DBDFE
SHA1:	DD95D21BC294072F6928EF9143CD2A71AA89B906
SHA-256:	0F0EC611E038BE2DD9F08FAA809051615911FD3EA734980359280362181608A6
SHA-512:	25740490D16CECF91980D861DB0D3486A11EF818CBF824729DC48BD3EE0B3A5C8EA1AC779026185D99939DF59E1EFAE94694394D61DC74222EF7CE1534E89594
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......J...........#...8............`..............h.......................................... ......................P..e....p..d................................ ...................................................................................text...............................`..`.data... ...........................@....rdata.......0......................@..@.bss.....................................edata..e....P......................@..@.idata..d....p......................@....rsrc...............................@....reloc... ......."..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\bios.bin Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	6.449731940765529
Encrypted:	false
SSDEEP:	3072:5xa/3XA5Mezf9vG59vBoUSLQ8JqydQbcSbzRwgC:5xa/3XcFvGTvBoUJ8JqjbcS/RwgC
MD5:	178FDA3118109882380F2897493F6DD4
SHA1:	8D0120F50624B216B8C3A54149CED70829FAD814
SHA-256:	18731DF5AFC45EEDE91BA3868239508D129C5CF0ED812FB85C5765CF0A8B23D8
SHA-512:	E110FF014B291B9A5ED5AD5797A18D0F4957CE54F21210ACF76A0936D61C8A4E08B0270BB914279D235DA6C16CDF236358AE9C352590D584EA03A97162A69BB7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\efi32.bin Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	data
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	6.272710774108453
Encrypted:	false
SSDEEP:	12288:HZKfpc3ERvzEhlk9YEXQJt3+kX3oFYH5cTXVHnTk8i4vHducOfdpTQ4UB63+:HZKfpc3jk9tQJtNoFw+TVzck0144UBR
MD5:	07F88BE907C1D658F80C058645F7A135
SHA1:	627F39C7F77006354759BC90382562D6B183A84F
SHA-256:	D9808FB1F750250EFDA17FAD79D0621B727C3EFE7384A89B415ECA92222D25C7
SHA-512:	CB8E7CA3D7453BA50BD5552F5D3C3D59E81C03A05187E2B12188410E72AD23E512B70D49A505B061C593906704264C658B881DF7BC1FB39B917573B430C8293C
Malicious:	false
Preview:	.................+...v.L..'G.[OP........_FVH....H....... ................6..u2dA....p..}....Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\efi64.bin Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	data
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	6.587125801788772
Encrypted:	false
SSDEEP:	12288:gJc/JmMJjzNKhaQHeP45e6BtH8kV0+/VaZXi9vp/iygCJw81mVHOR5Vjk5F:Kc/JRZNKhrHd5lBF88pPgCJw88NYCz
MD5:	443C99C734736D6323F68B3F6C0DF06F
SHA1:	CB4ED9935205FF61C078D008D658D61930B85983
SHA-256:	32E745D03247FBCBCF5BC0238AA3E05EE1D0FCC1FDB6E11362E681E3582C6CFF
SHA-512:	41E0246B8D17223424493969715FDADD024E90E074796E2D13E64823A0E50778C1A0A6905F9FD09AD1D1D6AFB5785AC9FFA97704E6F01456A5FB62FC992462DF
Malicious:	false
Preview:	.................+...v.L..'G.[OP........_FVH....H....... ................6..u2dA....p..}....Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\hd.vmdk Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	VMware4 disk image
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	0.032941509357403385
Encrypted:	false
SSDEEP:	12:nLiGGs/oNCXRnj8caDl5ExsFRtutitmtat+tyt2tqt6f/X/:NGMoiR4fExsFRtJt5tJtZt6v/
MD5:	CA1D5385263311784B2624CB8F9F3945
SHA1:	EB0E34AE034B44BE3155FDDA326022AA39BA0140
SHA-256:	C1968A05A22B7124B8E6851DC757B396CF7C5888F75A649694BF769026D895D4
SHA-512:	EF42DB558CA1C1F254D85DFC00815B3800C7174C4A5886E54A42CC0E3865A7BB2C69F0E8493ED073D9EBCE8B2B13A70FF74948742B8BA4CCC25DD82985131874
Malicious:	false
Preview:	KDMV.......... ........................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................# Disk DescriptorFile.version=1.CID=53e9f6f7.parentCID=ffffffff.createType="monolithicSparse"..# Extent description.RW 2097152 SPARSE "hd.vmdk"..# The Disk Data Base.#DDB..ddb.virtualHWVersion = "4".ddb.geometry.cylinders = "2080".ddb.geometry.heads = "16".ddb.geometry.sectors = "63".ddb.adapterType = "ide"....................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libpdcurses.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	87054
Entropy (8bit):	6.537987994517806
Encrypted:	false
SSDEEP:	1536:z/MJ/+nRoxPaSYYIfPfMKMTH1XaEaPHY5Ulq5RQ55A5B7wx0E32CMpG9H:z0p+nYIfPBMD1XXaPHY5UEEe7pE32t85
MD5:	0320638E15E1415F0B4F4D8E115957DC
SHA1:	44E04FC2E0A6C29CB20D26E41DFE0767362BE5B6
SHA-256:	05204B05A476845D77A72684751AC337A285603222BBD6D8BC4672CE8E248EAC
SHA-512:	24D43451EF4664431374A81DF733ECDF5C1D508FFA6A8C1FAE93C9682A7019CFF92E6E0D65ED6D90BEA2B19316CCCE9E52EB68A80324B03D56B9B882A008F338
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H6y6.T.........#.........P... ................ b.......................................... .................................x....................................................................................................................text...............................`.P`.data...H...........................@.`..rdata... ... ..."..................@.`@/4......t....P......................@.0@.bss.........`........................`..edata..............................@.0@.idata..x............<..............@.0..reloc...............H..............@.0B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libssp-0.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	32270
Entropy (8bit):	6.028153828077623
Encrypted:	false
SSDEEP:	384:cCejrkvCE0Q4dYjxcXT1/OhILLSQ5YrPSpAWVmsANKyU4LhpImcOhw9qho5lvhrw:cCejQvCXwxcRKQ5YrqssP0hpixwuhCb
MD5:	E91DBFEEEFEE5FA1C6F5E017B66FA685
SHA1:	87017821E1639E4240DE4E4EF1BE0810F2D73DCA
SHA-256:	817BF7ECC95F4CF87B7875D88F5C1B265F8B2E1FC42867A1EAF18F1FCC97EF8A
SHA-512:	F3AEA479062B85B9BCBB6D51123DCC63DB1E351D73A9E648B5D905B28A2093FD37E7CE4FC31C8C0F0B17B5CD78AFA4BA649F00770F3D63EE7B30F10F17C47A52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.h.~.........#.....`...z...............p.....h.......................................... ......................................................................................................................................................text...D^.......`..................`.P`.data... ....p.......d..............@.0..rdata..@............f..............@.`@/4...................l..............@.0..bss..................................@..edata...............n..............@.0@.idata...............p..............@.0..CRT.................v..............@.0..tls.... ............x..............@.0..reloc...............z..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\libz-1.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	6.62924047816937
Encrypted:	false
SSDEEP:	1536:7oXtn5ioQ5ngCqvP+H4GyXQ2Z3Kc6UGrfrryJrE1HcNDEOIOkIOknToIfWhQFk:7oXBooQ5n9quH47XQsKKbEFcNLKITBfh
MD5:	3D1F65624EBAEA131C0DC61C5EDE4C88
SHA1:	54B3986A17E4DCE7149136A58F4713F5B67C5EC6
SHA-256:	A62C67128B10FBC32471B63D807B90A6F88FFCE44F7495480CABAA57B8881F7D
SHA-512:	3C5FA60130948F0F63E131F56EBB270E3C9CE643C4D64310DD43D61F6EF6730C2DEBD83C35AABA2C2F4FE46D4A5915F9C5DC2CBF91BB7174306FCE531B184050
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#................`.............Pe................................$......... ......................P..^....`...............................p.......................................................................................text...............................`.P`.data...X...........................@.0..rdata...C.......D..................@.`@.bss.........@........................@..edata..^....P......................@.0@.idata.......`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\QEMU\vgabios-stdvga.bin Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	BIOS (ia32) ROM Ext. IBM comp. Video (73*512)
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.937455846413555
Encrypted:	false
SSDEEP:	384:UugncgrVCYWgrnECV9b4xIifVLvghWzCSiuFYd/S87qa2jhOnjiwjmFcrHo:vWc8VIg4c9b4rLvghWFY//7+9OnjBfH
MD5:	5B506BE8B749688BB0CEA80F48F5D170
SHA1:	699FC369C9E6FBC75331C3390E689F1A073BB6AD
SHA-256:	4D7BBF850577E9E1B95C24C117EB031418071A439B03F96804F0492DE5D368C0
SHA-512:	745A4787C2F60D39FA80441BADA2386CECFA4A09485132F760F3A7F62401A8FDE7B13BC4932A2EE452606C205D724200C85B1AF7E86D0ED7A3F59D865F22EF04
Malicious:	false
Preview:	U.I.O..................h.....IBM.fUf..fS..t.f..@....t'f...f..f.............f.....gf..........f..f[f]...fUf..fVfSgf.].f..g.].f...f..f1...&f....f..<.t.r.<....fHf...gf.X+....f.@.....fK&......&....f[f^f]...fUf..fWfVfSfSf..gf.M.f..f9.s.gf.E.fHgf..E.f..gf.E.gf.].gf.}..t-..gf.M.gf.u.f......gf.M.gf.].gf.E.gf.E...fXf[f^f_f]...fWgf.\|$.f...gf.w.fUf..fWfVfSf..4f..f......f......f..f1.f....f...f..f..f......gf.U.f......gf.].f..f......f%....f1.f....f...f..f.....gf.E.f......gf.u.f....f.....gf.u......f.fZf..4f[f^f_f]gf.g.f_...fUf..fWfVfSf...f...t.f......f...gf.t6.f...gf.\[...f.....f.....f..f...f...f..f..f...gf...gf.M.gf.e....f...gf.E........t.f...f...gf.M.f.......f..gf.J.f..gf.M.f...f@f.....f.f..gf.E.gf...gf.e.f.....f..f..gf.@.gf.U.f..f...f@f.....f.f....f..gf.].gf...gf.E.f..gf..E.f@f.....f.f..f..f...f[f^f_f]....f..<cf......fUf..fWfVfSf..Pf..gf...g.@.f...gf.E.f...gf.E.gf.}..gf.G.f..gf.E.gf..G.gf..E.gf.w.gf..W.f...f..f..gf...gf.].g.W....t^............m.gf.u.f1.gf..T..gf.E.P.7.gf..fCgf.u.f...u..gf.

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\UltraISO.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1316864
Entropy (8bit):	7.977951502611544
Encrypted:	false
SSDEEP:	24576:OFBP11EGBKorHQZOP2QcOoPgWicSCyl57B1BdlwvhMk5cYsdtt57IVpuaHx:OFBPE/xZOPjtUtiXB1B7E4nrir
MD5:	4A793682EA88194C500913C8DFB6BF8F
SHA1:	83932BD869BD3C46DF3B3C9BD14903269FE846A0
SHA-256:	745A16C283AE03F36B8EC2D5C4E8CF169529FFC5DACE5BC63FFFB901FFADC8FF
SHA-512:	AD7B786AFAD5B4295DBEC0349E6BECD2D97E3C95793F995531EADBF01E632EB6D27B43FA34335B7C76ADB193C47BD6070678FE708BB049EDB4E6ECA089412807
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L...7..V..................$...[...............%...@.............................................. ......................[...................................T...............................<........................................................text.....$.........................@....data.....[...%.....................@....tls................................@....rdata..............................@....idata...@..........................@....edata..............................@...

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\b7d Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	2.1124872685156197
Encrypted:	false
SSDEEP:	48:6gOWZ5L1eJodTmPzQ6yrob4zernRYt18imlPejGtZTzbGdaGgGc2:61mgOdY06zjrnC4UOzbCaG6
MD5:	1CFAAECDE2F296C8F479031585D80184
SHA1:	96041703AA7DBA1AFA058E7DA88A388D12C5F5CC
SHA-256:	FBD7000FF3C7C0643F37ECE932515C2B15B287C4BB2373FCCB65486910D3CC0F
SHA-512:	DEA7788BC436A1B77BEEA06047CA9ABE51E458AC08FF4B0908520F3D16131F9C0C41920FF8749AE29803DC5FA5975AEBD1B4908C1456857CBD5A9177D0767EAF
Malicious:	false
Preview:	regf.........2................... .... ......o.p.\.MQ9..[6R1.9.0.5.1.2.\..\&..:g\..N....\.r.e.s.\.b.7.d...)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................i..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bcd Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.2006680992695278
Encrypted:	false
SSDEEP:	24:811js/cY1ccw315KObGUw12Y5ynLIOcwf+Gp/WJodTmo8kHtOnwWHx85G6:8w/VSp15FbGbqLIi+WeJodTmnlB
MD5:	77726959DE14DC5479C5C09A76374076
SHA1:	21335832D4FAEAB27B743700A664E17FFE3E2066
SHA-256:	F0CFF01420A3B049AC54B247390B7049251146BA54E81D32F4AA6B3D1E16CEB5
SHA-512:	46C97E037FCC6E80EA2DDA24E4EDB1F618EF79B08072B5F6F403B8DC2A3D928B374F3078B2DB396893524970459F3C9F15BD2F5709A539AAB97CB1BADBF07FE5
Malicious:	false
Preview:	regf.........=..)................... ...........\.?.?.\.E.:.\.s.h.a.r.e.\.w.i.n.8.\.b.c.d.......................)4.<.......PV...)4.<.......PV.......*4.<.......PV...rmtm.....................................................................................................................................................................................................................................................................................................................................................#.x........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bcdedit.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	327680
Entropy (8bit):	5.28383084948076
Encrypted:	false
SSDEEP:	3072:WQM6G0689nx9n3rYwhRNvpbE3Vr6JjoyiPhyEN2VDtt6taDMEVunrbaH0ByofkTl:WQp9x5YwiVWAx864Pumz5K/s
MD5:	54DA4A3EBAE0F043465B781D45EB7E50
SHA1:	8ED915230B8AB3F24B76B064AB484BEC43320095
SHA-256:	A6F3CBE17B2FA1622F6156B53490C1266C9BB6BCA201DE7BE106ECEAE883A1E0
SHA-512:	A9D695806EB28B5987D9935A621A5AE81ED940327E00515DE69F9034969C596D347A66B298DB2CAC7B1D0632C0304CB512510F8BE55610BC31E58002E35CAB02
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.vG..%G..%G..%.sS%O..%.sU%I..%.sT%...%.sQ%N..%G..%...%.s(%f..%`.%F..%.s_%F..%.sR%F..%RichG..%........................PE..L......P.................z..........;.............@..........................@......V]....@...... ..............................d....... I.......................... ...................................@...........4................................text....x.......z.................. ..`.data...H............~..............@....idata..............................@..@.rsrc... I.......J..................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\boot.sdi Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	data
Category:	dropped
Size (bytes):	983040
Entropy (8bit):	2.543080944376282
Encrypted:	false
SSDEEP:	3072:C/pcj53vs/InbrTIHvPnHmC5irUuMo/+ncoZZihnhv/pc:qcRn7y/EouH/cpif
MD5:	9106857D1B8712BA3FEE8A4BACE8B9E9
SHA1:	F65BA483679CC58A67E29501382F33586A9E1B69
SHA-256:	FD9C0F38DD4A75632A4F5B94DD1977660F4A6FD53AE501FCE976F430C5885724
SHA-512:	3A452F740103D7430A7725C039B24092F1D326CA0BB50E527FBFC4D6BD0EB63BC9E40D9794EC5FDE71C839A64495F1F001424E2ECAFC8D48288AD23019FE2BC6
Malicious:	false
Preview:	$SDI0001................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................9...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootice.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	7.85474407296816
Encrypted:	false
SSDEEP:	6144:3sdbaZx/8B+q2cWNIUHwHU/N2KBJXB8RPozWuhjkl24TOwx0/+pyjzI/oSbY:8V+++cWNRLv7kP2S2IuzI/oS0
MD5:	0E72509B2D5C55093E2C9AD141067644
SHA1:	4470A289016E2815777D3EEC2BF7F985730249CD
SHA-256:	A65ECB7BCB0FBC02ECC72300E10A36171C55FF322DE5F6390669973BF49A2587
SHA-512:	3CEEBFC64649C7A325FBFDFEFAEB437A742E005AB270CA614A2C3907B02CF61A55F42F0B1D9B0F66E2A4BFFA22B29D6F64625EF03FD179958429303995BE1B24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..[p...p...p...kCj.T...kC_.g...kCk.....y.B.q...y.R.g...p...7...n.B.w...kCn.=...kC[.q...kC\.q...Richp...........PE..L....J.T.............................z............@..........................0............@.................................P ..........P....................#..........................................H...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................................................by Pauly!....

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootm7r Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	398157
Entropy (8bit):	7.880451328895632
Encrypted:	false
SSDEEP:	12288:e90w+ZKArM1eu8fh5TZUV4SJ8ez8Fq1WsH/XU0z+:u8m1e1XZUVD8e4a/E0z+
MD5:	A8A314427AE1574AF6835877F657FF69
SHA1:	8B862AA74AD59367E5D7EC76473E96CFE5BA9641
SHA-256:	D2605BE6A6A2E217876A20376035D4C2A55F56F451FE7B8797A35792116475F8
SHA-512:	C1C287BABC14258C6031BA346FD2428750B0693C9E60D2D3C2ACE4F91B065E6B68E2408C85E14A85E3B5349CFC88DB79F067ABC09E98549B2CC446465150F57D
Malicious:	false
Preview:	.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1354480
Entropy (8bit):	6.449263012275028
Encrypted:	false
SSDEEP:	24576:awzWtzcdsvASZspKYCjdgiQh9rgc6SPEl3ODzkYbgyM8oPw+65Cm:xzDuvyprCjdgiLLsQYbgyM1rm
MD5:	87B6D22295A16073D8D456FC574441A8
SHA1:	0C26596B3297D5E5A06F8D3788579EDC7895A622
SHA-256:	783D088CE72996A064C0DA796579475E0AEF23C5E6E0E5905C98571BF8620E20
SHA-512:	17E8AB17CB0E872E92843274FE2E7F0F77341ED252883A97CE104CAD31F144F73876322A58FF6DF05F0CF98353DBD5D9F83863E8B4F1E6F8645791A5829C70BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..a..a...-.3...,.q...*.v...Q.....).`...&.`...+.`..Richa..................PE..d...[..P.........." ....................................................................................................................4................................ ......@....................................J..p............................................text.............................. ..`PAGER32CH=.......>.................. ..`PAGE................................ ..`.rdata..D...........................@..@.data....<.......F..................@....pdata..............................@..@PAGER32R.............l..............@..@.rsrc................p..............@..@.reloc...............n..............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgfw.efi.mui Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63728
Entropy (8bit):	4.707057839761821
Encrypted:	false
SSDEEP:	384:M1hydczPhI9r1WtR8WvrzBpAv8TXAuOuNNzv6qEGLil/tKs28DBRJxplG9cW:MHydc7SitRDAuOuNNzv6tKsT1Pxi9D
MD5:	33A1F3CDC35DD4FC4B514B18D0F5AF2F
SHA1:	E916C6BDC8CE33A3270573EB997C3F9E7C541D23
SHA-256:	F916150DC0CE6EF93BF032BD4941836EEF8D0BDFAC7C68574A73869CA2EDE602
SHA-512:	7A5044A16539ADEB4D9BF3B9D06864B9549634D21E77D84F29D517CC8ECF81133EF770D1859617ED27F5A00913EE2A75CE80F1E26A696C7735FF2248960E5D1F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\|...\|...\|.......\|.......\|..Rich.\|..........................PE..L...R..H.........."!.................................................................k....@.............................................................. ...........................................................................................rsrc...............................@..@................................................0...0.......H.......`.......x...........................................................................................8................................................................................................... ...P................................%..x...........h)................M.U.I...B.O.O.T.M.G.R...X.S.L.................................8e...}..."..a....Uy.x.....h.............................................................................M.U.I...........

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgr Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	398156
Entropy (8bit):	7.885858823335205
Encrypted:	false
SSDEEP:	12288:egXZ0dArM1eu8fh5TZUV4SJ8ez8Fq1WsH/3UzM:bXI1e1XZUVD8e4a/kzM
MD5:	21BF183C15AFE62A8D1137BB9007B2A3
SHA1:	D656DD1E85D7E8ACFFDEFA9CED5D74BF0B978E39
SHA-256:	2FC3D311969B63A258446488EC75C275D736DED13D74624E1C541F43A72AB483
SHA-512:	8A67833D502EDABA077C783DAB69A7D8C9155971C409F78CB87948BD4415B7A58410517ACED73D6ED7D13A6B975AF769AA0623B9DFFD9537F5A1CE0248308291
Malicious:	false
Preview:	.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmgr.exe.mui Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63728
Entropy (8bit):	4.7074106741898385
Encrypted:	false
SSDEEP:	384:KhydczPhI9r1WtR8WvrzBpAv8TXAuOuNNzv6qEGLil/tKspH8DBRJTlRMk:Kydc7SitRDAuOuNNzv6tKspc1PDf
MD5:	94AE44D9AD4512BEEC5A07B29F8F6A3A
SHA1:	2DD0E0A9C92EBDF633ED2C52A06015BBA63E4D3C
SHA-256:	DD30295CDB38381B0D4A527BB06C46745D5DD4B1F369B1452E837CE1D73A76F7
SHA-512:	1A843177C8264ECF273BA75CD735E31E66DA1F78262124046D0421051DA31979846DF1A0ABDC88D83A720EEF7EB2ABC790DA5C7579E5FA326DD36164CD072273
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\|...\|...\|.......\|.......\|..Rich.\|..........................PE..L...R..H.........."!................................................................0.....@.............................................................. ...........................................................................................rsrc...............................@..@................................................0...0.......H.......`.......x...........................................................................................8................................................................................................... ...P................................%..x...........h)................M.U.I...B.O.O.T.M.G.R...X.S.L.................................8e...}...".....3nz....eb9.............................................................................M.U.I...........

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootmhr Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	398157
Entropy (8bit):	7.880588577296823
Encrypted:	false
SSDEEP:	12288:ehBQF/ArM1eu8fh5TZUV4SJ8ez8Fq1WsH/sU8qQ:iQF71e1XZUVD8e4a/TdQ
MD5:	9D48760C0F911CE98C046329378117E9
SHA1:	0E3FBB49E35C7FE19CC045E23AF0044F265595CA
SHA-256:	1F6B804B50A74CF0C511C7B90F4392BA038B1B4D521935D3BBDEDBD6581276BB
SHA-512:	40E614B3DE1F20AFF8F2FBDDE20B93A5D7F0931123BA678A7E3478D36E18B1F3939DA8444296C43F26BCC606A8142A7CFD32D2627A78A50A8A102FEB6594F2FD
Malicious:	false
Preview:	.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\bootsect.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	5.5755301838041
Encrypted:	false
SSDEEP:	1536:YYbtrIOZ5XZX+SQleQKdsN+jiRBlY/k6ftJDR:ZI85x5ueQKdsN+jiRI/k6V7
MD5:	9594BC046765DF20F4AC8DED4D1DD5D8
SHA1:	95DE0064B529D0EE2A0BC786D3511A9376352847
SHA-256:	4C457232DD4B8E3589F2F38F705089BAF568B1E9EC1554A0A3022B39F4286E76
SHA-512:	5C1110603239D314AD8216E3503ECB78F40D2C286810E4AF7944AB4FDB0591E96A64268D545CD950696651E2A4E85529F1220A188CF7013DB827D8FA23A5A6B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..5...5...5.......5.......5.......5...4...5.......5...K...5.......5.......5.Rich..5.........PE..L.....[J.............................h..............................................vi....@...... ..........................D...d....`...:...........................................................E..@...x...X....................................text............................... ..`.data....k.......X..................@....rsrc....:...`...<...0..............@..@.reloc.."............l..............@..B..[J(...o.[J5.....[J@...~.[JJ...........KERNEL32.dll.msvcrt.dll.ntdll.dll.ADVAPI32.dll..........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\chs_boot.ttf Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \375 2006 Microsoft Corporation. All rights reserved.chs_bootRegularVersion 1.01
Category:	dropped
Size (bytes):	3694080
Entropy (8bit):	6.624448833616754
Encrypted:	false
SSDEEP:	49152:JRLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYuU1B3zCOGHrSGjwe18wGHLuRapXtb:5z1GHrHwe1auRa1V
MD5:	CEC569AA88293C3711AB8CE68523227E
SHA1:	03AD7AADA17A724FA9B7B2926D99026F7B673008
SHA-256:	13E470AB455716E87E0C7A89A8605A33D8DADC245F445141B3D9869DA87FEB20
SHA-512:	01C83C69169CCC560154851219891A4EC9E2A877251FF7AC8373D3627C74AE3FDABA0D15894352D3A81E29926BAAE1C084D7E4F8EB5246F97F44BE49AD1B97D9
Malicious:	false
Preview:	...........PDSIG.....8B....dEBDT.K4Q.....-..EBLCa.u.... ...xOS/2p......X...`cmapk......(...Vglyf.g.........Dhead.../.......6hhea..x........$hmtx.G.Q.......ploca.7.&......:maxpp......8... name..YS........post..#.......a1......../.#._.<...........<...............................................................p.....p......................................................f.f............................MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\efisys.bin Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	"EFI ", FAT (12 bit), followed by FAT
Category:	dropped
Size (bytes):	2949120
Entropy (8bit):	6.163785261588251
Encrypted:	false
SSDEEP:	49152:Xqv6WBVxDDmOaJUatzDuvyprCjdgiLLsQYbgyMlJ2:Xw6WdDDmaLqYsgyyc
MD5:	C3834E1FE3FC05FF074C15C308BE4087
SHA1:	967D908A8C027754CD17444644471E938F24DC80
SHA-256:	3C8F8045483FCEFDCEAA2A77EBF114CE5136E392C337ACB80D0F0E8D6589C49F
SHA-512:	2C67CCBA197ACEFB0A85F52E2E40C57B3D023E8AEB098810DA88B98C69B7FD899429E70E9F9B17B261C251B8A8796FA7E5DC844B2495187227F581FE4DEF0CE2
Malicious:	false
Preview:	.<.ULTRAISO.............$.............).v0]EFI FAT12 3...{...x..v..V.U."..~..N.........\|.E..8N$} ....~...:f..\|f;..W.u.....V....s.3....}.F...f..F..V..F...v.`.F..V.. ...^...H...F..N.a....(.r>8-t.`....}.at=Nt... ;.r......}{...}....@t.Ht..........}..}....^.f......}.}..E..N....F..V......r....p.RP.Sj.j...F..&...3......B...v............~..u..B..V$..aar.@u.B.^.Iuw....'..Invalid system disk...Disk I/O error...Replace the disk, and then press any key....IO SYSMSDOS SYS...A...`fj..;...U........`................. ..@..`................! .#@.%`.'..)..+..-../..1 .3@.5`.7..9..;..=..?..A .C@.E`.G..I..K..M..O..Q .S@.U`.W..Y..[..].._..a .c@.e`.g..i..k..m..o..q .s@.u`.w..y..{..}...... ..@..`................. ..@..`................. ..@..`................. ..@..`................. ..@..`............... ..@..`............... ..@..`............... ..@..`.................!..A..a.................!..A..a................!!.#A.%a.'..)..+..-../..1!.3A.5a.7..9..;..=..?..A!.CA.Ea

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\fbinst.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	128529
Entropy (8bit):	5.706230011219611
Encrypted:	false
SSDEEP:	1536:w25YBtZbwW3PRAXYw6BCeJvzWSEZhmlJvPiQV0Lp8LVxRtnCr7GevORAgDwTf:kfZzPrBCWSl7IJik0Lp8LVNnwaeJ
MD5:	0AAB19E84783FD33BC306BC2059D5B9A
SHA1:	1212751E792BAEAC5930AD6A977B0182AF8979AA
SHA-256:	FE58B427CE661E976FBFDE72D7D7BAA9BE802C803D335B530288F98B0E922F25
SHA-512:	810EF76AFFA64E548A695490C819730C5389C2562E3CE2B93D3AE81E08E145788B8D85340985121F3F41089508B9FC96B0A45B0BAA1FAAD0A2BD1205ACB40B3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..O.X.............8.....T......0.............@.......................... ......_)........ .................................\....................................................................................................................text...,...........................`.P`.data....'.......(..................@.`..rdata..D*...0...,..................@.@@.bss....T....`........................@..idata..\............B..............@.0..rsrc................P..............@.0.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\iwll.dat Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	data
Category:	dropped
Size (bytes):	10894848
Entropy (8bit):	6.938317746625697
Encrypted:	false
SSDEEP:	196608:o9FCEwloCrO+GORSGYPgZCQjcrQQIAF5x45r3:o9rwloCP96AHVg5iF
MD5:	9B17722ACB2B02890843FD61A9858DCC
SHA1:	A0ED40B16A3E3F82B1F417EF5206D7B324A18B08
SHA-256:	6C1784A2AA5B0DD4F3DD4CE7895129FFEEE143D249F8DDD7595C6E32DB3F1CAA
SHA-512:	0C5FEAA451C5A8910A50E543713813A7827FB5211493F479C30DAD00DA24103E40D2A028BB1A182D12AC881145D482D1DCAC72781C8586D0A26984EC3B374AF6
Malicious:	false
Preview:	FBAR.......?...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P?ZBOOT/GRUB/BOOTHARD.......p....N?ZBOOT/GRUB/RUN.".X........P?ZBOOT/IMGS/BOOTFIX.ISO. .\....@..zN?ZBOOT/IMGS/DGDOS.IMG. .\|.....-.yN?ZBOOT/IMGS/GHOST.IMG. ..,.......N?ZBOOT/IMGS/MT501.IMG.#.<8......N?ZBOOT/IMGS/PASSWORD.IMG....<.......0:Zfb.cfg....<..d.....;Zgrldr....>........_BOOT/GRUB/SISO....M...r..M..]BOOT/GRUB/message.......................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\oscdimg.exe Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	119296
Entropy (8bit):	6.682989368728088
Encrypted:	false
SSDEEP:	3072:J914eR1Kj7y86TOFYpgV8R3LwDyNUzhL4tkAv2WiNc:J9BSrOpgV81LwDyNUzNAkm5i
MD5:	EDC8E2E5B7213F85BF331F4BFB6D67EB
SHA1:	317A26EA1E828579C97C4BF0BD1BB4B0FD94E7C3
SHA-256:	016FCDBD9A0E5CEBEAE5F134BE8C62E807F8F59E23CE847B3A312B01F2D96897
SHA-512:	EAF0C51FBDD56F5878615E06B4B0ABF2631FA6F88D77038BCDC80D9A205A746AD97F5B9F8602D767A818C4D6C22A65AF77ADB4C5243AB575AF4578C0F4B413B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.G............HkJ.....HkL.....HkM.....HkH.............Hk1............HkF.....HkK.....Rich....................PE..L...R..P.....................\.......r............@..........................0.......z....@...@.................................<.......(........................... ................................\|..@...........x...<............................text............................... ..`.data...T%..........................@....idata..P...........................@..@.rsrc...(...........................@..@.reloc..n ......."..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\uikey.ini Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.831509605424954
Encrypted:	false
SSDEEP:	3:jA7TQFsPWxBQYAdRGPV1Yaov:8vWIYVt1G
MD5:	420A653F6D54698E32127DFFC72F3251
SHA1:	8CEB0EB20E7B8F1B9155FECA3EE45AFCA3199AFF
SHA-256:	EA66E68ED4BBC109CA25C30C8CD1D23738CB16D8F1EC0C53088E9A94BC4F63D3
SHA-512:	6D61AB2F095A750B9E99500A84C9130062FFCF966E840A10525255FF0ED80CDD4456CF346709B2EBEB0FC9C8C4CC7547FA2CB000C9DFDCFCA029DB86C526E224
Malicious:	false
Preview:	UserName='....'..Registration='7C81-1689-4046-626F'..

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\waldr Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	322331
Entropy (8bit):	6.694157575125792
Encrypted:	false
SSDEEP:	6144:pcvZs1gkQ1e1tsP3/fCagTMEJyMc8z9nsqm9VNw:pcvZs1gngG3HgTOM/KP2
MD5:	646EC0ED1035C1164855284AF888FC9B
SHA1:	6D25C772A86A2AFAB08B7326314F80ED55DA1102
SHA-256:	82B7A94282833BEE7A458FBA1FB75241581128718C3DF0FE26305FD43A04FF5C
SHA-512:	7EDC5C4B33FF842E061D794D5562A5CAABC566442D12DC975CFB09E9EF16EC7F38724DD973C3E046B23C02DA8C4C50499F93AE368630298E801D6B18141BF9C1
Malicious:	false
Preview:	.>..............................................................1.......[..J........Sh[...N..f.>...............v..0...h. .......t.......0.1....r)..1.1........f.GRU.f9.u...... ..f9.t...h.....0.1...r..........................d........r.w-...................u.h.....1.1..<.s....i..........x.......Y...RVWU...]_^Z...... ....fa..........`PSQ............Y[Xr...u.as.`1...aOu........<.u....Missing helper...?..X.@h....P....r/.>..U.u'.....Kj@.....g.f1.1..D..u.8T.u.f.D.E...........................................................................................................................................[...........1.1...f.tK..t.1.f.....f@u...........<.u...`....j@.f.......D....\.f.D.f.D......B.e..a.fP.[S...f@........[..N..fXf.>......u.......[...........S.......Q......... .r:.....1.1.......h7... ...1.1....................Ku..+....p.. x..............-.....-....Ku..f1.....f........................................................................................

C:\Users\user\AppData\Local\Temp\400u50BLNB\tools\wgl4_boot.ttf Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 17 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.wgl4_boot is a trademark of Micro
Category:	dropped
Size (bytes):	47452
Entropy (8bit):	6.653349676863251
Encrypted:	false
SSDEEP:	768:/8KlPfaMmkeN4bKJX5zJN+D3eegCLmlor54NBHyh87kUJ3JnP/Ba/32UUU5wD2US:1CiuJXNuofSUBozIvS0YHaeYE
MD5:	D5CED633BF8446A3315EC58CD60148C1
SHA1:	8B4BCFC504A763FD47FB85D49BF23C1C68C5BCFC
SHA-256:	9AB081731E46DB6CF1248669DB7D6B09E9178B61B552A6A2287CA4202C83DA2B
SHA-512:	6224C2B8E24A3A8C4AD46D9324098C8CC776659F86E1CFA60B15C32199D741D2652489FF2F7AC996B0A899804F4BAF72AFB0B6338F0B15363AD1F8938072EE3A
Malicious:	false
Preview:	...........PDSIGu..u.......dEBDT.....4...^MEBLC.t:.........OS/2.B.....X...`cmappE5{...$...Lglyfk]L........Dhead...........6hhea...........$hmtxU..A.......lloca.Q.s...p...8maxp.......8... name.P.E........post.......l...%............_.<...........<......./............................................................................................3.......................f.f............................MSFT.@............................. ...3.A.........3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3..

C:\Users\user\AppData\Local\Temp\400u50BLNB\xldl.dll Download File
Process:	C:\Users\user\Desktop\FA3TCAsA9E.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.319013319313731
Encrypted:	false
SSDEEP:	6144:8s+Zak7wIL5DxM/kMfcFegZjHzsjsyAr1IizjcCdY:87Nw41a/jEBZjHAjsyABIizk
MD5:	40E8D381DA7C2BADC4B6F0CDB4B5378F
SHA1:	3646338C6A20F17BF4383A8D053CE37681DF8EAD
SHA-256:	CB0B0C42DAE0A1E946F97F6BDA522EB5AD943CB632BA3D19F597ECB3E1F5EB94
SHA-512:	68DC5128D2E90885CA0E69DCED80254E87AB765FAEFAF152B3CF452B37FB730EC146D4930342CED3F227BD7622A93592526D73567155346DE14CD76E5180E7B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L......S...........!.....P...........{.......`......................................D...................................C............ ..@............`.......0..T&.. b...............................................`...............................text...(A.......P.................. ..`.rdata...v...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.901770307313509
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FA3TCAsA9E.exe
File size:	24123904
MD5:	465403a9d41d410ba34e029b0831f5d8
SHA1:	368dc72252c0647c5343c290cfdf8ea4c0252344
SHA256:	8fad94268559bd4b13553e6ebcd81f00e6d86e408613cf62af4272309c374a34
SHA512:	160732bd0b2dd31eb272c4c8250f4af55a462659dbf56873af26601b67af82f5bf78d996762b60b03aa6f14e5ebbdd876b5a3615fb6d895bd5b9b1e6a9426954
SSDEEP:	393216:ecXjuwrSNfTedr5fLN3sKMtEMZcIuT1QdVaABLDE/y7ylRsFQH8:ecXyGmEzN3YfZc8a1kycy
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........!.<.@io.@io.@iol..o.@iol..o.@iol..o.@ioF..o.@io.8.o.@io.8.o.@iou.jn.@iou.mn.@iou.ln.Aio.@ho0Cio.8.o.@ior.mn.Biom.`n.@iom..o.@i

File Icon


Icon Hash:	8bab47cca9a9d600

Static PE Info

General
Entrypoint:	0x5f8536
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x603B1E27 [Sun Feb 28 04:37:59 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ccb611d3d4afbe5c827456c6f70e8ec1

Entrypoint Preview

Instruction
call 00007F0BB8BD8636h
jmp 00007F0BB8BD7393h
cmp ecx, dword ptr [007EF070h]
jne 00007F0BB8BD7505h
ret
jmp 00007F0BB8BD77B9h
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 00741BF8h
je 00007F0BB8BD750Ch
push 0000000Ch
push esi
call 00007F0BB8BD7D1Ah
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F0BB8BD751Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F0BB8BD750Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F0BB8BD750Eh
add edx, 28h
cmp edx, esi
jne 00007F0BB8BD74ECh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F0BB8BD74FBh
call 00007F0BB8BD8A55h
test eax, eax
jne 00007F0BB8BD7505h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 008048BCh
mov edx, dword ptr [eax+04h]
jmp 00007F0BB8BD7506h
cmp edx, eax
je 00007F0BB8BD7512h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F0BB8BD74F2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F0BB8BD7509h
mov byte ptr [008048D8h], 00000001h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e95c0	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x427000	0x12b4410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16dc000	0x34810	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3c5680	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3c5714	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3c56b8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30b000	0xcdc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3096f6	0x309800	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x30b000	0xe2b0a	0xe2c00	False	0.435008527426	data	5.970861483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3ee000	0x1b11c	0x11000	False	0.385656020221	data	5.31687133203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x40a000	0x1acd8	0x1ae00	False	0.298373909884	data	4.22943470189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0x425000	0x10	0x200	False	0.05078125	data	0.155177575305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x426000	0x9	0x200	False	0.033203125	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x427000	0x12b4410	0x12b4600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16dc000	0x34810	0x34a00	False	0.469357741983	data	6.55105355353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x42801c	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428020	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428024	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428028	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x42802c	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428030	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428034	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428038	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x42803c	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428040	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428044	0x2	data	Chinese	China
AFX_DIALOG_LAYOUT	0x428048	0x2	data	Chinese	China
BINARY	0x42804c	0x115b8a8	data	Chinese	China
BINARY	0x15838f4	0x119088	data	Chinese	China
BINARY	0x169c97c	0x2a800	data	Chinese	China
RT_CURSOR	0x16c717c	0x134	data	Chinese	China
RT_CURSOR	0x16c72b0	0xb4	data	Chinese	China
RT_CURSOR	0x16c7364	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x16c7498	0x134	data	Chinese	China
RT_CURSOR	0x16c75cc	0x134	data	Chinese	China
RT_CURSOR	0x16c7700	0x134	data	Chinese	China
RT_CURSOR	0x16c7834	0x134	data	Chinese	China
RT_CURSOR	0x16c7968	0x134	data	Chinese	China
RT_CURSOR	0x16c7a9c	0x134	data	Chinese	China
RT_CURSOR	0x16c7bd0	0x134	data	Chinese	China
RT_CURSOR	0x16c7d04	0x134	data	Chinese	China
RT_CURSOR	0x16c7e38	0x134	data	Chinese	China
RT_CURSOR	0x16c7f6c	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x16c80a0	0x134	data	Chinese	China
RT_CURSOR	0x16c81d4	0x134	data	Chinese	China
RT_CURSOR	0x16c8308	0x134	data	Chinese	China
RT_BITMAP	0x16c843c	0xb8	data	Chinese	China
RT_BITMAP	0x16c84f4	0x144	data	Chinese	China
RT_ICON	0x16c8638	0x10828	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_DIALOG	0x16d8e60	0x2c	data	Chinese	China
RT_DIALOG	0x16d8e8c	0x40	data	Chinese	China
RT_DIALOG	0x16d8ecc	0x40	data	Chinese	China
RT_DIALOG	0x16d8f0c	0x40	data	Chinese	China
RT_DIALOG	0x16d8f4c	0x40	data	Chinese	China
RT_DIALOG	0x16d8f8c	0x40	data	Chinese	China
RT_DIALOG	0x16d8fcc	0x40	data	Chinese	China
RT_DIALOG	0x16d900c	0x40	data	Chinese	China
RT_DIALOG	0x16d904c	0x40	data	Chinese	China
RT_DIALOG	0x16d908c	0x40	data	Chinese	China
RT_DIALOG	0x16d90cc	0x2c	data	Chinese	China
RT_DIALOG	0x16d90f8	0x40	data	Chinese	China
RT_DIALOG	0x16d9138	0xe8	data	Chinese	China
RT_DIALOG	0x16d9220	0x34	data	Chinese	China
RT_STRING	0x16d9254	0x82	data	Chinese	China
RT_STRING	0x16d92d8	0x2a	data	Chinese	China
RT_STRING	0x16d9304	0x184	data	Chinese	China
RT_STRING	0x16d9488	0x4ee	data	Chinese	China
RT_STRING	0x16d9978	0x264	data	Chinese	China
RT_STRING	0x16d9bdc	0x2da	data	Chinese	China
RT_STRING	0x16d9eb8	0x8a	data	Chinese	China
RT_STRING	0x16d9f44	0xac	data	Chinese	China
RT_STRING	0x16d9ff0	0xde	data	Chinese	China
RT_STRING	0x16da0d0	0x4a8	data	Chinese	China
RT_STRING	0x16da578	0x228	data	Chinese	China
RT_STRING	0x16da7a0	0x2c	data	Chinese	China
RT_STRING	0x16da7cc	0x53e	data	Chinese	China
RT_GROUP_CURSOR	0x16dad0c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x16dad30	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dad44	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dad58	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dad6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dad80	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dad94	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dada8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dadbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dadd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dade4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dadf8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dae0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dae20	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x16dae34	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x16dae48	0x14	data	Chinese	China
RT_VERSION	0x16dae5c	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data	Chinese	China
RT_MANIFEST	0x16db0e8	0x327	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
WS2_32.dll	getservbyname, gethostbyname, htonl, WSACleanup, WSAGetLastError, socket, __WSAFDIsSet, select, WSASetLastError, recv, send, bind, closesocket, connect, getpeername, getsockname, getsockopt, htons, ntohs, setsockopt, WSAIoctl, getaddrinfo, freeaddrinfo, accept, listen, recvfrom, sendto, ioctlsocket, gethostname, WSAStartup, shutdown
WLDAP32.dll
KERNEL32.dll	TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GlobalFlags, VirtualProtect, SetErrorMode, FindResourceExW, SearchPathW, GetProfileIntW, GetUserDefaultLCID, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ResetEvent, WaitForSingleObjectEx, QueryPerformanceCounter, TlsGetValue, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetStdHandle, SetFilePointerEx, GetCommandLineW, GetCommandLineA, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, RtlUnwind, GetStringTypeW, LCMapStringW, GetCPInfo, GetFileTime, GetFileSizeEx, GetFileAttributesExW, LocalAlloc, GetPrivateProfileIntW, TlsAlloc, GetSystemTimeAsFileTime, GlobalGetAtomNameW, GetCurrentThread, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, FileTimeToLocalFileTime, ResumeThread, SetThreadPriority, CreateEventW, lstrcmpA, GetThreadLocale, lstrcmpiW, DuplicateHandle, UnlockFile, LockFile, GetFullPathNameW, FlushFileBuffers, GlobalSize, GetCurrentProcessId, GlobalFindAtomW, GlobalAddAtomW, LoadLibraryA, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, GetModuleHandleA, FreeResource, GetCurrentThreadId, EncodePointer, OutputDebugStringA, VerifyVersionInfoW, VerSetConditionMask, FormatMessageA, PeekNamedPipe, GetFileType, WaitForMultipleObjects, ExpandEnvironmentStringsA, GetTickCount, SleepEx, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, SetEndOfFile, GetFileSize, SystemTimeToFileTime, LocalFileTimeToFileTime, SetFilePointer, SetFileTime, FreeConsole, ReadConsoleOutputCharacterW, GetStdHandle, AttachConsole, SetVolumeLabelW, SetEvent, GetProcessHeap, DeleteCriticalSection, DecodePointer, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, HeapFree, SetLastError, CreatePipe, GetCurrentProcess, GlobalUnlock, GlobalLock, FindClose, FindNextFileW, FindFirstFileW, MoveFileExW, CopyFileW, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, RemoveDirectoryW, GetFileAttributesW, LocalFree, FormatMessageW, SetThreadExecutionState, WriteFile, GetTempPathW, OutputDebugStringW, DeleteFileW, GetTempFileNameW, CreateMutexW, GetWindowsDirectoryW, GetSystemDirectoryW, GetVolumeInformationW, DefineDosDeviceW, DeviceIoControl, GlobalFree, GlobalAlloc, CloseHandle, GetLocalTime, MulDiv, GetLastError, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetPrivateProfileStringA, GetPrivateProfileStringW, GetCurrentDirectoryW, GetModuleFileNameW, WinExec, lstrlenW, lstrcatW, GetDiskFreeSpaceExW, GetDriveTypeW, GetLogicalDriveStringsW, Sleep, GlobalMemoryStatusEx, GetModuleHandleW, GetVersionExW, GetSystemInfo, FreeLibrary, GetProcAddress, LoadLibraryW, ReadFile, CreateFileW, WideCharToMultiByte, MultiByteToWideChar, CreateDirectoryW, CopyFileExW, SetFileAttributesW, lstrcpyW, FindResourceW, SetConsoleMode, LoadResource, LockResource, SizeofResource, HeapQueryInformation, QueryPerformanceFrequency, VirtualAlloc, VirtualQuery, ExitProcess, GetACP, GetConsoleMode, ReadConsoleW, GetConsoleCP, IsValidLocale, EnumSystemLocalesW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetConsoleCtrlHandler, WriteConsoleW, GetSystemTime, FlushConsoleInputBuffer, GlobalMemoryStatus, ReadConsoleInputA
USER32.dll	MapVirtualKeyW, GetKeyNameTextW, TranslateMessage, GetMessageW, DestroyMenu, CharUpperW, GetDesktopWindow, GetActiveWindow, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamW, DrawStateW, RemoveMenu, InsertMenuW, GetMenuState, GetMenuStringW, FillRect, GetWindowDC, LoadBitmapW, SetMenuItemInfoW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, IsDialogMessageW, CheckDlgButton, MoveWindow, GetMonitorInfoW, MonitorFromWindow, WinHelpW, SetScrollInfo, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, GetWindow, GetLastActivePopup, GetTopWindow, GetClassLongW, EqualRect, MapWindowPoints, MessageBoxW, AdjustWindowRectEx, GetWindowTextLengthW, RemovePropW, GetPropW, SetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, ValidateRect, EndPaint, BeginPaint, GetForegroundWindow, SetActiveWindow, GetMenuItemID, SetMenu, GetMenu, GetKeyState, GetFocus, SetFocus, GetDlgCtrlID, GetDlgItem, IsWindowVisible, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, PostQuitMessage, SetWindowPos, DestroyWindow, IsChild, IsMenu, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, CallWindowProcW, DefWindowProcW, GetMessageTime, PeekMessageW, DispatchMessageW, LoadMenuW, GetNextDlgGroupItem, ReleaseCapture, WindowFromPoint, GetCapture, SetWindowTextW, ClientToScreen, GetWindowLongW, GetWindowThreadProcessId, GetClassNameW, IsWindowEnabled, GetWindowTextW, TrackMouseEvent, IsZoomed, LoadAcceleratorsW, CreateAcceleratorTableW, DestroyAcceleratorTable, SetCursorPos, SetParent, ShowWindow, EnumChildWindows, UnregisterClassW, ExitWindowsEx, TrackPopupMenu, SetForegroundWindow, CreatePopupMenu, GetCursorPos, DrawIcon, IsIconic, RegisterDeviceNotificationW, LoadIconW, SendMessageTimeoutW, EnumWindows, GrayStringW, DrawTextExW, TabbedTextOutW, UpdateWindow, GetScrollInfo, SetRectEmpty, AppendMenuW, GetSubMenu, GetMenuItemInfoW, GetMenuItemCount, OffsetRect, DrawIconEx, DrawEdge, SetCapture, GetSystemMenu, DeleteMenu, SetWindowRgn, MessageBeep, NotifyWinEvent, GetMenuDefaultItem, SetMenuDefaultItem, IsRectEmpty, UpdateLayeredWindow, EnableScrollBar, UnionRect, MonitorFromPoint, CharNextW, CopyAcceleratorTableW, InvalidateRgn, SetRect, CopyRect, SystemParametersInfoW, DestroyIcon, SetWindowContextHelpId, MapDialogRect, ShowOwnedPopups, CopyImage, SendDlgItemMessageA, GetSysColorBrush, RealChildWindowFromPoint, GetAsyncKeyState, SetLayeredWindowAttributes, GetWindowPlacement, EnumDisplayMonitors, BringWindowToTop, LockWindowUpdate, SetClassLongW, ReleaseDC, GetKeyboardState, GetDC, SetCursor, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClipboardFormatW, CharUpperBuffW, ModifyMenuW, TranslateAcceleratorW, InsertMenuItemW, UnpackDDElParam, ReuseDDElParam, CopyIcon, FrameRect, PostThreadMessageW, WaitMessage, GetIconInfo, HideCaret, InvertRect, GetDoubleClickTime, MessageBoxA, GetUserObjectInformationW, GetProcessWindowStation, IsCharLowerW, MapVirtualKeyExW, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, IsClipboardFormatAvailable, GetUpdateRect, SubtractRect, CreateMenu, DestroyCursor, GetComboBoxInfo, GetWindowRgn, GetKeyboardLayout, ToUnicodeEx, DrawFocusRect, LoadImageW, PtInRect, ScreenToClient, GetMessagePos, SetWindowLongW, LoadCursorW, SetTimer, KillTimer, RedrawWindow, EnableWindow, GetClientRect, SendMessageW, InvalidateRect, GetParent, IsWindow, PostMessageW, RegisterWindowMessageW, GetWindowRect, GetSysColor, DrawFrameControl, InflateRect, GetSystemMetrics, DrawTextW, IntersectRect
GDI32.dll	GetDeviceCaps, GetPixel, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectPalette, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextAlign, MoveToEx, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateDCW, CombineRgn, CreateRectRgnIndirect, SetRectRgn, DPtoLP, EnumFontFamiliesW, GetTextCharsetInfo, GetTextMetricsW, CreateRoundRectRgn, CreateDIBSection, GetRgnBox, EnumFontFamiliesExW, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, RealizePalette, SetPixel, StretchBlt, SetDIBColorTable, OffsetRgn, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, LPtoDP, ExtFloodFill, SetPaletteEntries, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, GetWindowOrgEx, GetViewportOrgEx, SetPixelV, GetTextFaceW, GetClipBox, ExcludeClipRect, DeleteDC, CreateRectRgn, CreatePatternBrush, CreateHatchBrush, SetBkColor, Rectangle, GetBkColor, Escape, ExtTextOutW, RectVisible, PtVisible, TextOutW, CreatePen, GetMapMode, CreateDIBitmap, PatBlt, CreateBitmap, GetTextColor, CreateFontW, DeleteObject, GetTextExtentPoint32W, GetStockObject, SetBkMode, SetTextColor, SelectObject, BitBlt, RoundRect, CreateCompatibleBitmap, CreateCompatibleDC, GetObjectW, CreateFontIndirectW, CopyMetaFileW, GetObjectType, CreateSolidBrush
MSIMG32.dll	TransparentBlt, AlphaBlend
WINSPOOL.DRV	OpenPrinterW, DocumentPropertiesW, ClosePrinter
ADVAPI32.dll	RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, RegEnumKeyExW, CryptEnumProvidersA, CryptSignHashA, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptAcquireContextA, ReportEventA, RegisterEventSourceA, DeregisterEventSource, RegQueryValueW, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, RegCloseKey, RegEnumKeyW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, CryptDecrypt, CryptReleaseContext, CryptDestroyHash, CryptDestroyKey
SHELL32.dll	DragQueryFileW, SHAppBarMessage, SHGetFileInfoW, SHGetPathFromIDListW, DragFinish, Shell_NotifyIconW, ShellExecuteW, SHGetFolderPathW, SHGetSpecialFolderLocation, SHGetDesktopFolder, SHCreateDirectoryExW, SHBrowseForFolderW
COMCTL32.dll	InitCommonControlsEx, _TrackMouseEvent
SHLWAPI.dll	UrlUnescapeW, PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathIsDirectoryW, PathCombineW, PathFindFileNameW, PathRemoveFileSpecW, PathFileExistsW, StrFormatKBSizeW
UxTheme.dll	GetThemeSysColor, IsAppThemed, DrawThemeText, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeColor, GetCurrentThemeName, CloseThemeData, GetWindowTheme, IsThemeBackgroundPartiallyTransparent, GetThemePartSize
ole32.dll	CoInitializeEx, CoUninitialize, CoRegisterMessageFilter, CoRevokeClassObject, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleGetClipboard, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleLockRunning, OleUninitialize, OleInitialize, CoFreeUnusedLibraries, DoDragDrop, OleIsCurrentClipboard, OleFlushClipboard, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoGetClassObject, CoDisconnectObject, CoInitialize, CLSIDFromProgID, CLSIDFromString, CoCreateGuid, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CoSetProxyBlanket, CoInitializeSecurity, CreateStreamOnHGlobal, StringFromGUID2, CoCreateInstance
OLEAUT32.dll	SysFreeString, SysAllocString, OleCreateFontIndirect, VarBstrFromDate, VariantCopy, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, LoadTypeLib, VariantChangeType, SysAllocStringLen, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayUnaccessData, SafeArrayAccessData, VariantClear, VariantInit, SysStringLen, VarBstrCat
oledlg.dll	OleUIBusyW
gdiplus.dll	GdipSetInterpolationMode, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePalette, GdipGetImagePaletteSize, GdipCreateBitmapFromStream, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipLoadImageFromStream, GdiplusShutdown, GdiplusStartup, GdipDrawString, GdipSetStringFormatLineAlign, GdipSetStringFormatAlign, GdipDeleteFont, GdipCreateFontFamilyFromName, GdipDeleteFontFamily, GdipGetGenericFontFamilySansSerif, GdipCreateFont, GdipGetDpiY, GdipDeleteStringFormat, GdipCreateStringFormat, GdipGraphicsClear, GdipSetSolidFillColor, GdipAddPathEllipseI, GdipResetPath, GdipDrawPath, GdipClosePathFigure, GdipAddPathArcI, GdipDeletePen, GdipCreatePen1, GdipDeletePath, GdipCreatePath, GdipFillPath, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipSetSmoothingMode, GdipGetImageGraphicsContext, GdipCreateBitmapFromScan0, GdipReleaseDC, GdipDrawImageRectI, GdipImageSelectActiveFrame, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipImageGetFrameCount, GdipImageGetFrameDimensionsList, GdipImageGetFrameDimensionsCount, GdipCloneImage, GdipDisposeImage, GdipFillRectangleI, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateSolidFill, GdipCloneBrush, GdipAlloc, GdipDeleteBrush, GdipFree
SETUPAPI.dll	SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailW, SetupDiGetClassDevsW
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
OLEACC.dll	CreateStdAccessibleObject, LresultFromObject, AccessibleObjectFromWindow
WININET.dll	HttpQueryInfoW, InternetCrackUrlW, InternetCanonicalizeUrlW, InternetOpenW, InternetCloseHandle, InternetOpenUrlW, InternetReadFile, InternetSetFilePointer, InternetWriteFile, InternetQueryDataAvailable, InternetQueryOptionW, InternetGetLastResponseInfoW, InternetSetStatusCallbackW
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
WINMM.dll	PlaySoundW
CRYPT32.dll	CertOpenStore, CertCloseStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetCertificateContextProperty

Version Infos

Description	Data
LegalCopyright
InternalName	.exe
FileVersion	8.21.2.19
CompanyName
ProductName
ProductVersion	8.21.2.19
FileDescription
OriginalFilename	.exe
Translation	0x0804 0x03a8

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2021 15:29:36.553842068 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:36.840847015 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:36.841085911 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:36.873507977 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.160448074 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160485029 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160509109 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160530090 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160552979 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160577059 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160600901 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160619974 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160639048 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160657883 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160682917 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.160712957 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.160731077 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.160732985 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.160734892 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.160737038 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.160738945 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.447776079 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447809935 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447823048 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447834015 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447845936 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447858095 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447875977 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447892904 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447909117 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447922945 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447937965 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447961092 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447978020 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.447998047 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448018074 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448038101 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448057890 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448071957 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.448086023 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.448086023 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448087931 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.448090076 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.448102951 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448112011 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.448124886 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.448254108 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.448261023 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.734992981 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735023975 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735045910 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735058069 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735069036 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735073090 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735088110 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735104084 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735142946 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735147953 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735152006 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735162973 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735182047 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735186100 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735203028 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735224009 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735239983 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735260963 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735279083 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735285044 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735287905 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735291004 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735297918 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735318899 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735337019 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735358000 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735375881 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735378027 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735379934 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735383034 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735395908 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735415936 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735431910 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735450983 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735467911 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735475063 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735477924 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735480070 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735488892 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735510111 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735527039 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735529900 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735532999 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735548973 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735565901 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735584974 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735604048 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735604048 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735608101 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735625982 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735644102 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735651970 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735667944 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735691071 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735707998 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735714912 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735723972 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735728025 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:29:37.735776901 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:29:37.735780001 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:30:37.737411022 CEST	80	49724	112.126.77.190	192.168.2.3
Jun 24, 2021 15:30:37.737492085 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:31:25.947722912 CEST	49724	80	192.168.2.3	112.126.77.190
Jun 24, 2021 15:31:26.234846115 CEST	80	49724	112.126.77.190	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2021 15:29:18.698951006 CEST	50620	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:18.754713058 CEST	53	50620	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:19.068057060 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:19.117228985 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:20.283736944 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:20.331218004 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:20.514357090 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:20.571300030 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:21.377226114 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:21.430464983 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:22.529210091 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:22.585052013 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:23.772361994 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:23.820183039 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:25.085674047 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:25.137200117 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:29.193360090 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:29.240453005 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:30.358131886 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:30.413394928 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:31.497596025 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:31.552912951 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:32.603380919 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:32.649447918 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:34.857395887 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:34.906316042 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:36.049155951 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:36.233649969 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:36.291781902 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:36.502310038 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:37.354731083 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:37.401866913 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:38.779426098 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:38.826997042 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:40.011369944 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:40.060503960 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:41.244128942 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:41.299051046 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:44.332541943 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:44.380310059 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:45.430242062 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:45.476232052 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:52.057296038 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:52.129296064 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 24, 2021 15:29:58.859651089 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:29:58.927566051 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 24, 2021 15:30:14.355463028 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:30:14.412081957 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 24, 2021 15:30:15.700639963 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:30:15.770515919 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 24, 2021 15:30:28.842231035 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:30:28.906152010 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 24, 2021 15:30:34.309969902 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:30:34.367999077 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 24, 2021 15:31:03.620203018 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:31:03.683252096 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 24, 2021 15:31:05.674423933 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 24, 2021 15:31:05.743817091 CEST	53	56579	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 24, 2021 15:29:36.049155951 CEST	192.168.2.3	8.8.8.8	0x132e	Standard query (0)	jsy.newitboy.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 24, 2021 15:29:36.502310038 CEST	8.8.8.8	192.168.2.3	0x132e	No error (0)	jsy.newitboy.com		112.126.77.190	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

jsy.newitboy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49724	112.126.77.190	80	C:\Users\user\Desktop\FA3TCAsA9E.exe

Timestamp	kBytes transferred	Direction	Data
Jun 24, 2021 15:29:36.873507977 CEST	1100	OUT	GET /wllinfo/newoemjsy/oemtianm.txt HTTP/1.1 User-Agent: HttpClient Host: jsy.newitboy.com Cache-Control: no-cache
Jun 24, 2021 15:29:37.160485029 CEST	1105	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 24 Jun 2021 13:29:36 GMT Content-Type: text/plain Content-Length: 88984 Last-Modified: Thu, 24 Jun 2021 08:21:30 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "60d4408a-15b98" Accept-Ranges: bytes Data Raw: 38 34 41 34 37 33 33 43 39 37 35 45 39 42 0a 5b 41 31 38 34 35 44 33 33 39 35 30 45 43 43 30 39 31 36 36 39 39 32 41 44 30 32 30 34 5d 0a 42 41 39 45 35 45 33 36 39 45 3d 37 32 35 43 45 31 38 33 32 43 38 46 34 37 43 35 37 35 37 41 43 45 41 43 35 41 31 36 38 37 33 37 38 32 35 43 36 31 42 46 32 43 46 34 41 44 33 36 34 36 32 36 34 30 32 43 45 38 0a 41 37 39 39 34 45 33 46 38 33 3d 46 46 0a 41 38 39 45 34 36 33 46 39 35 35 45 39 31 35 41 3d 42 39 39 45 34 34 36 42 43 42 30 39 43 38 30 44 31 32 37 42 39 32 45 37 30 30 31 38 44 30 37 34 38 45 0a 42 42 38 34 34 38 33 39 39 41 34 42 39 41 35 33 34 33 37 34 3d 46 46 0a 41 31 38 34 34 38 32 46 39 32 35 33 39 38 3d 42 39 39 45 34 34 36 42 43 42 0a 41 31 38 34 34 42 32 38 39 38 35 37 3d 46 38 43 33 0a 41 44 39 36 35 45 3d 42 34 39 44 0a 42 43 39 32 34 43 33 46 38 39 35 41 39 32 35 43 34 37 3d 37 35 30 45 46 39 38 30 42 36 36 43 42 38 37 31 39 42 43 41 31 37 32 30 44 41 44 30 30 34 42 39 33 39 41 42 46 41 32 36 43 45 46 43 43 31 31 36 34 44 35 38 32 33 36 42 42 41 42 45 41 34 35 32 42 36 42 41 33 42 42 33 43 30 37 38 32 42 35 41 30 30 33 30 37 36 36 38 41 30 33 45 33 42 38 35 45 34 32 36 44 32 43 44 46 33 33 32 38 42 38 36 36 30 39 34 35 42 45 33 0a 42 43 39 36 35 45 33 46 3d 46 42 0a 41 33 39 33 31 46 3d 46 43 43 33 31 33 31 39 42 39 30 37 43 34 30 38 31 35 35 37 39 35 41 45 32 42 37 34 38 32 34 33 44 45 35 37 30 34 42 38 32 44 37 39 32 33 44 33 44 41 42 37 43 43 41 38 33 38 37 34 32 32 44 35 0a 42 38 39 32 35 38 33 33 39 44 34 36 3d 46 46 0a 41 32 39 45 34 34 33 31 38 38 34 42 38 45 3d 46 44 43 31 31 41 36 42 38 37 35 30 38 43 30 45 35 45 37 32 44 39 41 43 31 36 34 45 44 38 33 36 0a 42 36 39 41 31 42 30 35 38 45 34 44 39 30 3d 41 36 38 33 35 45 32 41 38 38 30 35 44 33 31 30 35 41 33 44 44 30 46 43 30 34 35 34 44 34 36 45 38 45 31 42 36 46 45 30 37 37 31 35 36 35 43 45 44 41 42 36 43 36 44 36 36 43 30 41 34 45 43 46 30 39 37 44 45 38 33 30 37 38 38 45 44 37 41 33 38 36 41 42 36 41 45 39 33 37 37 45 32 32 38 36 36 37 44 45 34 45 31 39 34 39 39 46 37 32 35 42 45 41 35 45 38 38 33 37 38 44 45 35 44 33 37 38 46 46 46 32 31 38 33 32 42 42 0a 42 36 39 41 31 42 30 35 38 46 34 36 38 43 35 41 3d 46 45 0a 41 31 38 37 31 42 30 35 38 45 34 44 39 30 3d 41 36 38 33 35 45 32 41 43 31 31 30 44 33 34 36 35 37 37 44 39 33 42 33 30 34 35 33 43 32 36 45 39 45 30 43 32 45 46 30 33 36 35 39 37 39 38 43 43 31 39 35 39 38 45 35 36 38 32 35 37 38 38 35 30 44 33 45 46 33 33 33 36 37 43 45 39 36 42 44 38 34 41 39 36 41 45 46 36 38 33 38 36 32 43 36 37 45 44 44 35 37 35 45 30 46 38 36 32 41 30 35 45 44 35 41 43 45 37 36 38 46 46 35 39 32 32 42 46 43 45 41 34 44 36 46 42 41 33 45 43 46 0a 41 31 38 37 31 42 30 35 38 46 34 36 38 43 35 41 3d 46 45 0a 41 46 38 45 31 42 30 35 38 45 34 44 39 30 3d 41 36 38 33 35 45 32 41 43 31 31 30 44 33 34 36 35 37 37 44 39 33 42 33 30 34 35 33 43 32 36 45 39 45 30 43 32 45 46 30 33 36 35 39 37 39 38 43 43 31 39 35 39 38 45 35 36 38 32 35 37 38 38 35 30 44 33 45 46 33 33 33 36 37 43 45 39 36 42 44 38 34 41 39 36 41 45 46 36 38 33 38 36 32 43 36 37 45 44 44 35 37 35 45 30 46 38 36 32 41 30 35 45 44 35 41 43 45 37 36 38 46 46 35 39 32 32 42 46 43 45 41 34 44 36 46 42 41 33 45 43 46 0a 41 46 38 45 31 42 30 35 38 46 34 36 38 43 35 41 3d 46 45 Data Ascii: 84A4733C975E9B[A1845D33950ECC09166992AD0204]BA9E5E369E=725CE1832C8F47C5757ACEAC5A168737825C61BF2CF4AD364626402CE8A7994E3F83=FFA89E463F955E915A=B99E446BCB09C80D127B92E70018D0748EBB8448399A4B9A534374=FFA184482F925398=B99E446BCBA1844B289857=F8C3AD965E=B49DBC924C3F895A925C47=750EF980B66CB8719BCA1720DAD004B939ABFA26CEFCC1164D58236BBABEA452B6BA3BB3C0782B5A00307668A03E3B85E426D2CDF3328B8660945BE3BC965E3F=FBA3931F=FCC31319B907C408155795AE2B748243DE5704B82D7923D3DAB7CCA8387422D5B89258339D46=FFA29E4431884B8E=FDC11A6B87508C0E5E72D9AC164ED836B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CEDAB6C6D66C0A4ECF097DE830788ED7A386AB6AE9377E228667DE4E19499F725BEA5E88378DE5D378FFF21832BBB69A1B058F468C5A=FEA1871B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF03659798CC19598E5682578850D3EF33367CE96BD84A96AEF683862C67EDD575E0F862A05ED5ACE768FF5922BFCEA4D6FBA3ECFA1871B058F468C5A=FEAF8E1B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF03659798CC19598E5682578850D3EF33367CE96BD84A96AEF683862C67EDD575E0F862A05ED5ACE768FF5922BFCEA4D6FBA3ECFAF8E1B058F468C5A=FE
Jun 24, 2021 15:29:37.160509109 CEST	1107	IN	Data Raw: 0a 46 44 43 31 31 41 36 42 41 34 34 41 38 45 35 33 3d 41 36 38 33 35 45 32 41 38 38 30 35 44 33 31 30 35 42 36 36 43 45 45 44 30 42 35 38 39 42 33 34 44 43 35 45 36 46 45 41 37 36 31 35 36 35 39 34 39 43 39 38 41 41 45 35 35 43 37 41 37 33 38 32 Data Ascii: FDC11A6BA44A8E53=A6835E2A8805D3105B66CEED0B589B34DC5E6FEA761565949C98AAE55C7A73823342ED0866C7FDC11A6BA44B854F47=FCBD9E503F=003396A44FCC2C9E183394B35F71AA965E3F=760BFA98318E40DB183392AD58079837D94370BCAB8F5E=AB844E[A1845D33950ECC09166992A
Jun 24, 2021 15:29:37.160530090 CEST	1108	IN	Data Raw: 41 38 38 30 35 44 33 31 30 35 42 36 36 43 45 45 44 30 42 35 38 39 42 33 34 44 43 35 45 36 46 45 41 37 36 31 35 36 35 39 34 39 43 39 38 41 41 45 35 37 46 30 32 34 45 42 34 32 43 34 38 42 30 31 43 36 45 46 38 0a 46 44 43 31 31 41 36 42 41 34 34 42 Data Ascii: A8805D3105B66CEED0B589B34DC5E6FEA761565949C98AAE57F024EB42C48B01C6EF8FDC11A6BA44B854F47=FCBD9E503F=003396A44FCC2C9E183393B35971AA965E3F=760BFA98318E40DB183392AD58069837D34370B8AB8F5E=AB844E[A1845D339508CA0B58]BA9E5E369E=725CE1832C8F47C57
Jun 24, 2021 15:29:37.160552979 CEST	1109	IN	Data Raw: 41 34 34 46 43 43 32 43 39 45 31 38 33 33 39 34 42 33 35 42 37 31 0a 41 41 39 36 35 45 33 46 3d 37 36 30 42 46 41 39 38 33 31 38 45 34 30 44 42 31 38 33 33 39 32 41 44 35 38 30 37 39 38 33 37 44 39 34 33 37 30 42 43 0a 41 42 38 46 35 45 3d 41 42 Data Ascii: A44FCC2C9E183394B35B71AA965E3F=760BFA98318E40DB183392AD58079837D94370BCAB8F5E=AB844E[A1845D339508CF0D58]BA9E5E369E=725CE1832C8F47C5757ACEAA4A0587C951A8AD34BA8AF0A7994E3F83=FFA89E463F955E915A=B99E446DC80D86550C76D3F9BB8448399A4B9A534374=
Jun 24, 2021 15:29:37.160577059 CEST	1111	IN	Data Raw: 39 5d 0a 42 41 39 45 35 45 33 36 39 45 3d 37 32 35 43 45 31 38 33 32 43 38 46 34 37 43 35 37 35 37 41 43 45 41 43 35 41 31 36 38 34 33 45 44 41 35 37 36 31 42 46 32 43 46 34 41 44 33 36 34 36 32 36 34 30 32 43 45 38 0a 41 37 39 39 34 45 33 46 38 Data Ascii: 9]BA9E5E369E=725CE1832C8F47C5757ACEAC5A16843EDA5761BF2CF4AD364626402CE8A7994E3F83=FFA89E463F955E915A=B99E446BCB09C80E1B2399E70018D0748EBB8448399A4B9A534374=FFA184482F925398=B99E446BCBA1844B289857=F8C3AD965E=B49DBC924C3F895A925C47=750EF
Jun 24, 2021 15:29:37.160600901 CEST	1112	IN	Data Raw: 39 45 34 36 33 46 39 35 35 45 39 31 35 41 3d 42 36 38 37 35 30 33 30 44 35 35 41 38 46 35 42 0a 42 42 38 34 34 38 33 39 39 41 34 42 39 41 35 33 34 33 37 34 3d 46 46 0a 41 31 38 34 34 38 32 46 39 32 35 33 39 38 3d 42 36 38 37 0a 41 31 38 34 34 42 Data Ascii: 9E463F955E915A=B6875030D55A8F5BBB8448399A4B9A534374=FFA184482F925398=B687A1844B289857=FDC5AD965E=B49DBC924C3F895A925C47=750EF980B66CB8719BCA1720DAD004B939ABFA26CEFCC1164D58236BBABEA452B6BA3BB3C0782B5A00307668A03E3B85E426D2CDF3328B8660945B
Jun 24, 2021 15:29:37.160619974 CEST	1113	IN	Data Raw: 37 31 39 42 43 41 31 37 32 30 44 41 44 30 30 34 42 39 33 39 41 42 46 41 32 36 43 45 46 43 43 31 31 36 34 44 35 38 32 33 36 42 42 41 42 45 41 34 35 32 42 36 42 41 33 42 42 33 43 30 37 38 32 42 35 41 30 30 33 30 37 36 36 38 41 30 33 45 33 42 38 35 Data Ascii: 719BCA1720DAD004B939ABFA26CEFCC1164D58236BBABEA452B6BA3BB3C0782B5A00307668A03E3B85E426D2CDF3328B8660945BE3BC965E3F=FBA3931F=F8B56E6FC80ACF086327E5A95B778C42AF5971B85D0D52D0DAC4B0AD3F7C26D1B89258339D46=FFA29E4431884B8E=FDC11A6B87508C0E5E72D
Jun 24, 2021 15:29:37.160639048 CEST	1115	IN	Data Raw: 44 46 33 33 32 38 42 38 36 36 30 39 34 35 42 45 33 0a 42 43 39 36 35 45 33 46 3d 46 42 0a 41 33 39 33 31 46 3d 46 42 43 30 31 45 36 44 43 44 37 42 43 39 37 44 36 33 32 37 45 32 41 44 35 32 30 30 38 35 34 36 41 42 32 44 37 34 43 38 35 39 37 39 35 Data Ascii: DF3328B8660945BE3BC965E3F=FBA3931F=FBC01E6DCD7BC97D6327E2AD52008546AB2D74C8597957A0AFC7C7DE387950D7B89258339D46=FFA29E4431884B8E=FDC11A6B87508C0E5E72D9AC164ED836B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CE989A9ED35C2F6D
Jun 24, 2021 15:29:37.160657883 CEST	1116	IN	Data Raw: 33 39 33 31 46 3d 46 36 43 37 36 43 36 38 42 39 30 36 42 46 30 43 31 30 35 30 39 32 44 45 32 38 37 35 38 37 34 34 41 46 35 45 30 37 42 30 35 39 30 45 35 35 44 36 41 42 42 30 42 34 41 46 33 36 37 41 35 31 44 36 0a 42 38 39 32 35 38 33 33 39 44 34 Data Ascii: 3931F=F6C76C68B906BF0C105092DE28758744AF5E07B0590E55D6ABB0B4AF367A51D6B89258339D46=FFA29E4431884B8E=FDC11A6B87508C0E5E72D9AC164ED836B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CE808EAFF13A1F4ECF097DE830788E8AE184A86AE4683C2
Jun 24, 2021 15:29:37.160682917 CEST	1117	IN	Data Raw: 46 0a 41 32 39 45 34 34 33 31 38 38 34 42 38 45 3d 46 44 43 31 31 41 36 42 38 37 35 30 38 43 30 45 35 45 37 32 44 39 41 43 31 36 34 45 44 38 33 36 0a 42 36 39 41 31 42 30 35 38 45 34 44 39 30 3d 41 36 38 33 35 45 32 41 38 38 30 35 44 33 31 30 35 Data Ascii: FA29E4431884B8E=FDC11A6B87508C0E5E72D9AC164ED836B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CEDEA292EB602A21CF097DE830788E8AE184A86AE4683C228667DE4E19499F7B58EE10926C9AF384B69A1B058F468C5A=FEA1871B058E4D90=A6835E2AC110D346
Jun 24, 2021 15:29:37.447776079 CEST	1121	IN	Data Raw: 37 32 44 39 41 43 31 36 34 45 44 38 33 36 0a 42 36 39 41 31 42 30 35 38 45 34 44 39 30 3d 41 36 38 33 35 45 32 41 38 38 30 35 44 33 31 30 35 41 33 44 44 30 46 43 30 34 35 34 44 34 36 45 38 45 31 42 36 46 45 30 37 37 31 35 36 35 43 45 39 37 42 36 Data Ascii: 72D9AC164ED836B69A1B058E4D90=A6835E2A8805D3105A3DD0FC0454D46E8E1B6FE0771565CE97B6B7EB5E2555CF097DE830788ED7A386AB6AE9377E22C420C116074EC0735DE81A8D309AF19160AAAF19B69A1B058F468C5A=FEA1871B058E4D90=A6835E2AC110D346577D93B30453C26E9E0C2EF0365

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: FA3TCAsA9E.exe PID: 5608 Parent PID: 5680

General

Start time:	15:29:29
Start date:	24/06/2021
Path:	C:\Users\user\Desktop\FA3TCAsA9E.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FA3TCAsA9E.exe'
Imagebase:	0x9c0000
File size:	24123904 bytes
MD5 hash:	465403A9D41D410BA34E029B0831F5D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.233773377.0000000008F12000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FA3TCAsA9E

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics