Edit tour

Windows Analysis Report
nowe zam#U00f3wienie.exe

Overview

General Information

Sample name:	nowe zam#U00f3wienie.exe renamed because original name is a hash value
Original sample name:	nowe zamwienie.exe
Analysis ID:	1558236
MD5:	8148bbdcbec9dd84bdf7089fae43ce62
SHA1:	58cbab87c2cbbe8c54f88089d33526409732f6ad
SHA256:	6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e
Tags:	exeuser-cccx
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Silenttrinity Stager Msbuild Activity

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nowe zam#U00f3wienie.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe" MD5: 8148BBDCBEC9DD84BDF7089FAE43CE62)

powershell.exe (PID: 7588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7980 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7704 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 8176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 1556 MD5: C31336C1EFC2CCB44B4326EA793040F2)

fUamrQdFSPAg.exe (PID: 7936 cmdline: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe MD5: 8148BBDCBEC9DD84BDF7089FAE43CE62)

schtasks.exe (PID: 8128 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 8180 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 1560 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "FTP", "FTP Server": "ftp://50.31.176.103/", "FTP Username": "chdex@gdmaduanas.com", "Password": "#MT#mn!6V!@6", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x138ce:$a1: get_encryptedPassword 0x13bba:$a2: get_encryptedUsername 0x136ca:$a3: get_timePasswordChanged 0x137c5:$a4: get_passwordField 0x138e4:$a5: set_encryptedPassword 0x14f6b:$a7: get_logins 0x14ece:$a10: KeyLoggerEventArgs 0x14b39:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1884d:$x1: $%SMTPDV$ 0x17218:$x2: $#TheHashHere%& 0x171c4:$x3: %FTPDV$ 0x18923:$x4: $%TelegramDv$ 0x14b39:$x5: KeyLoggerEventArgs 0x14ece:$x5: KeyLoggerEventArgs 0x18819:$m2: Clipboard Logs ID 0x18a73:$m2: Screenshot Logs ID 0x18b83:$m2: keystroke Logs ID 0x18e5d:$m3: SnakePW 0x18a4b:$m4: \SnakeKeylogger\
00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x82e4e:$a1: get_encryptedPassword 0xa386e:$a1: get_encryptedPassword 0xc408e:$a1: get_encryptedPassword 0x8313a:$a2: get_encryptedUsername 0xa3b5a:$a2: get_encryptedUsername 0xc437a:$a2: get_encryptedUsername 0x82c4a:$a3: get_timePasswordChanged 0xa366a:$a3: get_timePasswordChanged 0xc3e8a:$a3: get_timePasswordChanged 0x82d45:$a4: get_passwordField 0xa3765:$a4: get_passwordField 0xc3f85:$a4: get_passwordField 0x82e64:$a5: set_encryptedPassword 0xa3884:$a5: set_encryptedPassword 0xc40a4:$a5: set_encryptedPassword 0x844eb:$a7: get_logins 0xa4f0b:$a7: get_logins 0xc572b:$a7: get_logins 0x8444e:$a10: KeyLoggerEventArgs 0xa4e6e:$a10: KeyLoggerEventArgs 0xc568e:$a10: KeyLoggerEventArgs
00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x87dcd:$x1: $%SMTPDV$ 0xa87ed:$x1: $%SMTPDV$ 0xc900d:$x1: $%SMTPDV$ 0x86798:$x2: $#TheHashHere%& 0xa71b8:$x2: $#TheHashHere%& 0xc79d8:$x2: $#TheHashHere%& 0x86744:$x3: %FTPDV$ 0xa7164:$x3: %FTPDV$ 0xc7984:$x3: %FTPDV$ 0x87ea3:$x4: $%TelegramDv$ 0xa88c3:$x4: $%TelegramDv$ 0xc90e3:$x4: $%TelegramDv$ 0x840b9:$x5: KeyLoggerEventArgs 0x8444e:$x5: KeyLoggerEventArgs 0xa4ad9:$x5: KeyLoggerEventArgs 0xa4e6e:$x5: KeyLoggerEventArgs 0xc52f9:$x5: KeyLoggerEventArgs 0xc568e:$x5: KeyLoggerEventArgs 0x87d99:$m2: Clipboard Logs ID 0x87ff3:$m2: Screenshot Logs ID 0x88103:$m2: keystroke Logs ID
00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9ab27:$a1: get_encryptedPassword 0x9ae09:$a2: get_encryptedUsername 0x9a92d:$a3: get_timePasswordChanged 0x9aa28:$a4: get_passwordField 0x9ab3d:$a5: set_encryptedPassword 0x9d03b:$a7: get_logins 0x9cf9e:$a10: KeyLoggerEventArgs 0x9cc09:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9cc09:$x5: KeyLoggerEventArgs 0x9cf9e:$x5: KeyLoggerEventArgs 0x9d574:$x5: KeyLoggerEventArgs 0x9d8d5:$x5: KeyLoggerEventArgs 0x9f1d8:$m2: Clipboard Logs ID 0x9f2ec:$m2: Screenshot Logs ID 0x9f342:$m2: keystroke Logs ID 0x9f477:$m3: SnakePW 0x9f2d8:$m4: \SnakeKeylogger\
Process Memory Space: MSBuild.exe PID: 7852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7852	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MSBuild.exe PID: 7852	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a21:$a1: get_encryptedPassword 0x7d03:$a2: get_encryptedUsername 0x7827:$a3: get_timePasswordChanged 0x7922:$a4: get_passwordField 0x7a37:$a5: set_encryptedPassword 0x9f35:$a7: get_logins 0x9e98:$a10: KeyLoggerEventArgs 0x9b03:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MSBuild.exe PID: 7852	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x9b03:$x5: KeyLoggerEventArgs 0x9e98:$x5: KeyLoggerEventArgs 0xa46e:$x5: KeyLoggerEventArgs 0xa7cf:$x5: KeyLoggerEventArgs 0xc0d2:$m2: Clipboard Logs ID 0xc1e6:$m2: Screenshot Logs ID 0xc23c:$m2: keystroke Logs ID 0xc371:$m3: SnakePW 0xc1d2:$m4: \SnakeKeylogger\
Process Memory Space: MSBuild.exe PID: 8180	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cce:$a1: get_encryptedPassword 0x12fba:$a2: get_encryptedUsername 0x12aca:$a3: get_timePasswordChanged 0x12bc5:$a4: get_passwordField 0x12ce4:$a5: set_encryptedPassword 0x1436b:$a7: get_logins 0x142ce:$a10: KeyLoggerEventArgs 0x13f39:$a11: KeyLoggerEventArgsEventHandler
0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a657:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19889:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cbc:$a4: \Orbitum\User Data\Default\Login Data 0x1acfb:$a5: \Kometa\User Data\Default\Login Data
0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c7:$s1: UnHook 0x138ce:$s2: SetHook 0x138d6:$s3: CallNextHook 0x138e3:$s4: _hook
0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c4d:$x1: $%SMTPDV$ 0x16618:$x2: $#TheHashHere%& 0x165c4:$x3: %FTPDV$ 0x17d23:$x4: $%TelegramDv$ 0x13f39:$x5: KeyLoggerEventArgs 0x142ce:$x5: KeyLoggerEventArgs 0x17c19:$m2: Clipboard Logs ID 0x17e73:$m2: Screenshot Logs ID 0x17f83:$m2: keystroke Logs ID 0x1825d:$m3: SnakePW 0x17e4b:$m4: \SnakeKeylogger\
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cce:$a1: get_encryptedPassword 0x12fba:$a2: get_encryptedUsername 0x12aca:$a3: get_timePasswordChanged 0x12bc5:$a4: get_passwordField 0x12ce4:$a5: set_encryptedPassword 0x1436b:$a7: get_logins 0x142ce:$a10: KeyLoggerEventArgs 0x13f39:$a11: KeyLoggerEventArgsEventHandler
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a657:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19889:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cbc:$a4: \Orbitum\User Data\Default\Login Data 0x1acfb:$a5: \Kometa\User Data\Default\Login Data
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138c7:$s1: UnHook 0x138ce:$s2: SetHook 0x138d6:$s3: CallNextHook 0x138e3:$s4: _hook
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c4d:$x1: $%SMTPDV$ 0x16618:$x2: $#TheHashHere%& 0x165c4:$x3: %FTPDV$ 0x17d23:$x4: $%TelegramDv$ 0x13f39:$x5: KeyLoggerEventArgs 0x142ce:$x5: KeyLoggerEventArgs 0x17c19:$m2: Clipboard Logs ID 0x17e73:$m2: Screenshot Logs ID 0x17f83:$m2: keystroke Logs ID 0x1825d:$m3: SnakePW 0x17e4b:$m4: \SnakeKeylogger\
8.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.MSBuild.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.MSBuild.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x148ca:$a3: get_timePasswordChanged 0x149c5:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x1616b:$a7: get_logins 0x160ce:$a10: KeyLoggerEventArgs 0x15d39:$a11: KeyLoggerEventArgsEventHandler
8.2.MSBuild.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c457:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b689:$a3: \Google\Chrome\User Data\Default\Login Data 0x1babc:$a4: \Orbitum\User Data\Default\Login Data 0x1cafb:$a5: \Kometa\User Data\Default\Login Data
8.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x156ce:$s2: SetHook 0x156d6:$s3: CallNextHook 0x156e3:$s4: _hook
8.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a4d:$x1: $%SMTPDV$ 0x18418:$x2: $#TheHashHere%& 0x183c4:$x3: %FTPDV$ 0x19b23:$x4: $%TelegramDv$ 0x15d39:$x5: KeyLoggerEventArgs 0x160ce:$x5: KeyLoggerEventArgs 0x19a19:$m2: Clipboard Logs ID 0x19c73:$m2: Screenshot Logs ID 0x19d83:$m2: keystroke Logs ID 0x1a05d:$m3: SnakePW 0x19c4b:$m4: \SnakeKeylogger\
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x352ee:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x355da:$a2: get_encryptedUsername 0x148ca:$a3: get_timePasswordChanged 0x350ea:$a3: get_timePasswordChanged 0x149c5:$a4: get_passwordField 0x351e5:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x35304:$a5: set_encryptedPassword 0x1616b:$a7: get_logins 0x3698b:$a7: get_logins 0x160ce:$a10: KeyLoggerEventArgs 0x368ee:$a10: KeyLoggerEventArgs 0x15d39:$a11: KeyLoggerEventArgsEventHandler 0x36559:$a11: KeyLoggerEventArgsEventHandler
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x35ee7:$s1: UnHook 0x156ce:$s2: SetHook 0x35eee:$s2: SetHook 0x156d6:$s3: CallNextHook 0x35ef6:$s3: CallNextHook 0x156e3:$s4: _hook 0x35f03:$s4: _hook
0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a4d:$x1: $%SMTPDV$ 0x3a26d:$x1: $%SMTPDV$ 0x18418:$x2: $#TheHashHere%& 0x38c38:$x2: $#TheHashHere%& 0x183c4:$x3: %FTPDV$ 0x38be4:$x3: %FTPDV$ 0x19b23:$x4: $%TelegramDv$ 0x3a343:$x4: $%TelegramDv$ 0x15d39:$x5: KeyLoggerEventArgs 0x160ce:$x5: KeyLoggerEventArgs 0x36559:$x5: KeyLoggerEventArgs 0x368ee:$x5: KeyLoggerEventArgs 0x19a19:$m2: Clipboard Logs ID 0x19c73:$m2: Screenshot Logs ID 0x19d83:$m2: keystroke Logs ID 0x3a239:$m2: Clipboard Logs ID 0x3a493:$m2: Screenshot Logs ID 0x3a5a3:$m2: keystroke Logs ID 0x1a05d:$m3: SnakePW 0x3a87d:$m3: SnakePW 0x19c4b:$m4: \SnakeKeylogger\
0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ace:$a1: get_encryptedPassword 0x354ee:$a1: get_encryptedPassword 0x55d0e:$a1: get_encryptedPassword 0x14dba:$a2: get_encryptedUsername 0x357da:$a2: get_encryptedUsername 0x55ffa:$a2: get_encryptedUsername 0x148ca:$a3: get_timePasswordChanged 0x352ea:$a3: get_timePasswordChanged 0x55b0a:$a3: get_timePasswordChanged 0x149c5:$a4: get_passwordField 0x353e5:$a4: get_passwordField 0x55c05:$a4: get_passwordField 0x14ae4:$a5: set_encryptedPassword 0x35504:$a5: set_encryptedPassword 0x55d24:$a5: set_encryptedPassword 0x1616b:$a7: get_logins 0x36b8b:$a7: get_logins 0x573ab:$a7: get_logins 0x160ce:$a10: KeyLoggerEventArgs 0x36aee:$a10: KeyLoggerEventArgs 0x5730e:$a10: KeyLoggerEventArgs
0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156c7:$s1: UnHook 0x360e7:$s1: UnHook 0x56907:$s1: UnHook 0x156ce:$s2: SetHook 0x360ee:$s2: SetHook 0x5690e:$s2: SetHook 0x156d6:$s3: CallNextHook 0x360f6:$s3: CallNextHook 0x56916:$s3: CallNextHook 0x156e3:$s4: _hook 0x36103:$s4: _hook 0x56923:$s4: _hook
0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a4d:$x1: $%SMTPDV$ 0x3a46d:$x1: $%SMTPDV$ 0x5ac8d:$x1: $%SMTPDV$ 0x18418:$x2: $#TheHashHere%& 0x38e38:$x2: $#TheHashHere%& 0x59658:$x2: $#TheHashHere%& 0x183c4:$x3: %FTPDV$ 0x38de4:$x3: %FTPDV$ 0x59604:$x3: %FTPDV$ 0x19b23:$x4: $%TelegramDv$ 0x3a543:$x4: $%TelegramDv$ 0x5ad63:$x4: $%TelegramDv$ 0x15d39:$x5: KeyLoggerEventArgs 0x160ce:$x5: KeyLoggerEventArgs 0x36759:$x5: KeyLoggerEventArgs 0x36aee:$x5: KeyLoggerEventArgs 0x56f79:$x5: KeyLoggerEventArgs 0x5730e:$x5: KeyLoggerEventArgs 0x19a19:$m2: Clipboard Logs ID 0x19c73:$m2: Screenshot Logs ID 0x19d83:$m2: keystroke Logs ID
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", ParentImage: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe, ParentProcessId: 7416, ParentProcessName: nowe zam#U00f3wienie.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", ProcessId: 7588, ProcessName: powershell.exe

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 132.226.247.73, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7852, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49741

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe, ParentImage: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe, ParentProcessId: 7936, ParentProcessName: fUamrQdFSPAg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp", ProcessId: 8128, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", ParentImage: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe, ParentProcessId: 7416, ParentProcessName: nowe zam#U00f3wienie.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp", ProcessId: 7704, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", ParentImage: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe, ParentProcessId: 7416, ParentProcessName: nowe zam#U00f3wienie.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", ProcessId: 7588, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe", ParentImage: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe, ParentProcessId: 7416, ParentProcessName: nowe zam#U00f3wienie.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp", ProcessId: 7704, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://50.31.176.103/", "FTP Username": "chdex@gdmaduanas.com", "Password": "#MT#mn!6V!@6", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Virustotal: Detection: 45%			Perma Link

Multi AV Scanner detection for submitted file

Source: nowe zam#U00f3wienie.exe	ReversingLabs: Detection: 36%
Source: nowe zam#U00f3wienie.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nowe zam#U00f3wienie.exe

Joe Sandbox ML: detected

Source: nowe zam#U00f3wienie.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nowe zam#U00f3wienie.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 0000000D.00000002.2949045307.0000000001218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: VzyO.pdb source: nowe zam#U00f3wienie.exe, fUamrQdFSPAg.exe.0.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBo source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbs source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdbH source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbni source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdbD source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.pdba source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: VzyO.pdbSHA256 source: nowe zam#U00f3wienie.exe, fUamrQdFSPAg.exe.0.dr
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdbeys source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdbR source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbt source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: o.pdb source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: Microsoft.VisualBasic.pdb0_ source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Core.pdbp source: WER8F6F.tmp.dmp.21.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Windows.Forms.pdbh source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbp source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb&& source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbn=b03f source: MSBuild.exe, 0000000D.00000002.2949045307.0000000001218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbt source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 4x nop then jmp 06FD478Fh		0_2_06FD491D
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 4x nop then jmp 07903A37h		9_2_07903BC6

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: unknown

DNS query: name: checkip.dyndns.org

Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	TCP traffic detected without corresponding DNS query: 20.223.35.26
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: MSBuild.exe, 00000008.00000002.2952175498.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: MSBuild.exe, 00000008.00000002.2952175498.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2952175498.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749044667.0000000002551000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, fUamrQdFSPAg.exe, 00000009.00000002.1779154692.0000000003284000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nowe zam#U00f3wienie.exe, fUamrQdFSPAg.exe.0.dr	String found in binary or memory: http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp, nowe zam#U00f3wienie.exe, 00000000.00000002.1751306016.0000000004F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_0081D57C	0_2_0081D57C
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE34B8	0_2_06EE34B8
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE2106	0_2_06EE2106
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EEF6C0	0_2_06EEF6C0
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE6669	0_2_06EE6669
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE6678	0_2_06EE6678
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EEF288	0_2_06EEF288
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EEEE50	0_2_06EEEE50
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EEBD18	0_2_06EEBD18
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EEEA18	0_2_06EEEA18
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06FD6568	0_2_06FD6568
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06FD0CE8	0_2_06FD0CE8
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06FD0CD8	0_2_06FD0CD8
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06FD2198	0_2_06FD2198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_02B93572	8_2_02B93572
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_0169D57C	9_2_0169D57C
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_077134B8	9_2_077134B8
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07712106	9_2_07712106
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07716678	9_2_07716678
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07716669	9_2_07716669
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_0771F6C0	9_2_0771F6C0
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_077134A8	9_2_077134A8
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_0771F288	9_2_0771F288
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_0771EE50	9_2_0771EE50
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_0771BD22	9_2_0771BD22
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_0771EA18	9_2_0771EA18
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07905830	9_2_07905830
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07900CD8	9_2_07900CD8
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07900CE8	9_2_07900CE8
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Code function: 9_2_07902010	9_2_07902010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_02CE3572	13_2_02CE3572

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 1556

Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1752752233.0000000006C35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE3:m2 vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749044667.0000000002551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749044667.0000000002551000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1754238314.0000000008470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1753619109.0000000006E10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1748529950.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749511432.0000000003761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe, 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs nowe zam#U00f3wienie.exe
Source: nowe zam#U00f3wienie.exe	Binary or memory string: OriginalFilenameVzyO.exeP vs nowe zam#U00f3wienie.exe

Source: nowe zam#U00f3wienie.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: nowe zam#U00f3wienie.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fUamrQdFSPAg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, sDEXUFRl2S88gO7MAu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, niENrkpuxYr7eXZ2uR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, niENrkpuxYr7eXZ2uR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, niENrkpuxYr7eXZ2uR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, niENrkpuxYr7eXZ2uR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, niENrkpuxYr7eXZ2uR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, niENrkpuxYr7eXZ2uR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, sDEXUFRl2S88gO7MAu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb&&
Source: MSBuild.exe, 0000000D.00000002.2949045307.0000000001218000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbn=b03f

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/21@1/5

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

File created: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Mutant created: \Sessions\1\BaseNamedObjects\nwhyoSfAsrSZtXogEHXnQWrGCvy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8180
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7852
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp

Jump to behavior

Source: nowe zam#U00f3wienie.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nowe zam#U00f3wienie.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nowe zam#U00f3wienie.exe	ReversingLabs: Detection: 36%
Source: nowe zam#U00f3wienie.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

File read: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 1556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 1560
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: nowe zam#U00f3wienie.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nowe zam#U00f3wienie.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: nowe zam#U00f3wienie.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: MSBuild.exe, 0000000D.00000002.2949045307.0000000001218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: VzyO.pdb source: nowe zam#U00f3wienie.exe, fUamrQdFSPAg.exe.0.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2950275229.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.PDBo source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbs source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdbH source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbni source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\MSBuild.pdbD source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.pdba source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: VzyO.pdbSHA256 source: nowe zam#U00f3wienie.exe, fUamrQdFSPAg.exe.0.dr
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdbeys source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\MSBuild.pdbR source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbt source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: C:\Windows\MSBuild.pdbpdbild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: o.pdb source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: Microsoft.VisualBasic.pdb0_ source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Core.pdbp source: WER8F6F.tmp.dmp.21.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Windows.Forms.pdbh source: WER99BF.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbp source: MSBuild.exe, 0000000D.00000002.2949045307.000000000129B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb&& source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbn=b03f source: MSBuild.exe, 0000000D.00000002.2949045307.0000000001218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8F6F.tmp.dmp.21.dr, WER99BF.tmp.dmp.23.dr
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.pdbt source: MSBuild.exe, 00000008.00000002.2948662102.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2948165656.0000000000D97000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, niENrkpuxYr7eXZ2uR.cs	.Net Code: KHbvGT9uh31O2OhDRCu System.Reflection.Assembly.Load(byte[])
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, niENrkpuxYr7eXZ2uR.cs	.Net Code: KHbvGT9uh31O2OhDRCu System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE17AD push FFFFFF8Fh; iretd	0_2_06EE17B4
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EEAD57 push es; iretd	0_2_06EEAD78
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE0A8E pushfd ; iretd	0_2_06EE0A8F
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Code function: 0_2_06EE0B02 pushfd ; iretd	0_2_06EE0B03

Source: nowe zam#U00f3wienie.exe	Static PE information: section name: .text entropy: 7.933853621322833
Source: fUamrQdFSPAg.exe.0.dr	Static PE information: section name: .text entropy: 7.933853621322833

Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, Rgbey1ZDH0xDi1nnoR.cs	High entropy of concatenated method names: 'dXY2mCPPIn', 'Uls2xPZ4ps', 'qdW2XjZ3PP', 'itf2oLYmVM', 'VN424SwDSI', 'vwm2vPfkMy', 'iRD2MUSJLH', 'cB82fbU5nC', 'ePH2ukJtg7', 'smX2yKAD4U'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, NsXZj6kcLxMu0BCYEr8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wydA23pp4f', 'h8dAwnh7Ho', 'Y12AF9nfi8', 'mDVAAqlIZB', 'LhEACiyiIm', 'RLTA7bprRS', 'eKZAN4xcGU'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, rkdQMMfqrHRXWPW2eb.cs	High entropy of concatenated method names: 'pM03Jnb9PW', 'nwx3p7ohiA', 'T403mR06IP', 'oSn3xyBOet', 'Txw3oNZRbR', 'Yid34IftOh', 'IWV3M33dEs', 'OmZ3f9jsJd', 'rgj3yQEua7', 'Ncc3jHLhP6'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, SrXKfBcrBWwDVwLBw3.cs	High entropy of concatenated method names: 'UGdOs40kEI', 'P2AOBlbsi5', 'OAlOWdBf9H', 'pdnOPH0rhB', 'PX7OVMIPBk', 'RyPOa4ZJua', 'UqkBIuQjPD9ZbWpBeb', 'SHRcmjmD3FrpMtOVVA', 'fEnOO8mdBe', 'e9VOr01Jrn'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, h7nFedkkiBpctoav1Hf.cs	High entropy of concatenated method names: 'lN1wq8boTp', 'WegwziraWd', 'bvMFIWiSH1', 'B0aFO01qCf', 'FXYF0DgNDy', 'l2oFrgppkh', 'IDmFQsxF6u', 'F6EF6Of8qg', 'CkCFg3xUW4', 'k7VFGdC8lv'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, uO0Rj4hIlT83787XOc.cs	High entropy of concatenated method names: 'lCqsglrjid', 'N0wsn8hqu7', 'Lgbse55WJM', 'hm3eqoO7CU', 'cVjezesqOe', 'z8HsI5s10X', 'JnUsO4pEeY', 'uSns09bg2V', 'pSIsr8ym9Q', 'kc4sQT91Z8'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, A3NeQZEGTZa5sHlUcg.cs	High entropy of concatenated method names: 'ToString', 'Ly9ajBYkxC', 'yxZaxmLB5l', 'gHgaXqXUCK', 'FU6aoZB8JM', 'u2Aa4HX7xg', 'KGwavVN6I3', 'vG2aMivBRF', 'bELafcdpIT', 'BbBauveby6'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, rKYX3Yoso1r2Q771np.cs	High entropy of concatenated method names: 'ci9e6aeCwl', 'LNeeGrbsne', 'gkSeTgdbn6', 'i6pesW7J9F', 'KcceB9UmsD', 'fOwTZsPBhf', 'oHNTYprQt0', 'fuXTSe8i1b', 'Y8wTHtIa8c', 'jITTd4lwSQ'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, NDUt9OvZQqvSTsk28h.cs	High entropy of concatenated method names: 'GVHeN1v51K', 'yJ1elhSLAY', 'T9He9eTKFF', 'W6iebvD2s6', 'YoVekJAk5y', 'fLaecVL4O3', 'yi9epnWB7x', 'jnve1uDMyQ', 'fxjIOSlZB0gmVB7qtax', 'uPqr0hlwPZRBNrEpF7e'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, TibK6SaIoA7u2IBDZP.cs	High entropy of concatenated method names: 'UDQwnorVTB', 'tQawTneYSj', 'MgKwey1d3H', 'LG1wscZRYj', 'yiuw2AosTk', 'TpXwB8xqMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, sDEXUFRl2S88gO7MAu.cs	High entropy of concatenated method names: 'QchGRUPgHU', 'TvjGEkMwZG', 'EKYGhrMUFm', 'MptG5XaeQX', 'sRlGZMqI1W', 'or3GYYdEed', 'qoNGSiZfKI', 'cVvGHa5MOV', 'I06GdKc8fd', 'fktGqMk52t'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, saSu8hLSCCSq4dDMGX.cs	High entropy of concatenated method names: 'Uq5KWu5nuU', 'mrqKPLIuU4', 'ToString', 'L2oKgHCxZE', 'ciBKGuPj70', 'n93KnhExdU', 'DRCKTkinEa', 'OheKeUKc1T', 'DCuKsitNq3', 'EDrKBc3Ik0'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, xkIOlu4ZbcqC0SILHX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XdD0dB8MKU', 'o220qgUTPb', 'xRH0zTOTKG', 'LrhrIpN1Se', 'QAUrOJmKHG', 'MsRr09aLTq', 'v1urrN16GB', 'jr3gc99dGHKYdXBFlkt'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, niENrkpuxYr7eXZ2uR.cs	High entropy of concatenated method names: 'NTUr6I5sp2', 'ASirgTnih5', 'tZIrGySenK', 'biErnd1L3Y', 'VMSrT4yC2l', 'tnGreoIKjU', 'j24rsYNKof', 'jkNrBlS5jQ', 'nqRrD9YDP9', 'BlUrWTT206'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, kNH5SwlEGI0QD7Oerv.cs	High entropy of concatenated method names: 'CZYKHqsEyy', 'T3AKq8ZTSt', 'gpBiIStGWU', 'ytGiOAsqlo', 'dMhKjN3WN7', 'kpAKUlxaVu', 'p0oK8okC1y', 'i27KRm0mUi', 'SwbKEZ5p1d', 'jNAKhu2lXL'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, fSZ9dokHSwe7dMPuMwK.cs	High entropy of concatenated method names: 'NqcFqgdxpq', 'vGeFzDITi7', 'nCsAI6PqjF', 'NdnRKRL2biTGv9uif4Y', 'jBglYwLD185QwOFAngI', 'rJavsiLdQNOftxlUcZJ', 'kyBBK5L0aMD88TFeRpT'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, vgtcTwO6ZFcXjUlHfT.cs	High entropy of concatenated method names: 'HA1TtMrjOH', 'HSJTcr1vXB', 'bpFnXqtXoE', 'Y3Eno2DLIA', 'ghCn4Jvi92', 'th1nvIPqeV', 'U39nMsuFPv', 'xOknfbXR5l', 'KbfnuA2EsL', 'PVYnypOZXO'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, jbiaLRsKr91fvV4MHZ.cs	High entropy of concatenated method names: 'Dispose', 'vCsOdaQtnh', 'w1T0xZYA8r', 'VrjAZxjBm1', 'EOEOqJwxuJ', 'S2SOzqniGh', 'ProcessDialogKey', 'ab30IbHv72', 'ohk0O3efYj', 'Gvr00hGh51'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, tQH6LPzge7uFZht7qt.cs	High entropy of concatenated method names: 'TcPwkvN83r', 'fULwJc6uYH', 'aQpwp0qwtU', 'r5owmSwsCA', 'HsDwxLuJsa', 'WH7woFo6O2', 'lPbw45ymcY', 'oBGwNpRJKv', 'ifhwlq0ow8', 'DVrwLpTqkJ'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, htq5kMkqVhKSMVyqW9b.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ql3wjrbXFo', 'IY1wUVL8hN', 'QOgw8GOA4A', 'IUbwRdT7VO', 'SVhwERfygB', 'jQnwhqkpGj', 'dT3w5iQJTw'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, mLXuhj8rDoVGB4YJk3.cs	High entropy of concatenated method names: 'ytE99i3Ys', 'rJpb5mjlh', 'p14kNF6Nx', 'QE9ce4xu6', 'cKLp6PsR6', 'IaJ1OrrdO', 'IK5RXpedtiI6E9yZ9D', 'lCHJih3afyU9dIna8G', 'txJiUgt0W', 'btRwS2tWo'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, E0YtI8Xv7FwcOkidBR.cs	High entropy of concatenated method names: 'UiR2Vt562v', 'Wq12KS3EY6', 'usi22iuNrB', 'ycG2FpmWmQ', 'gQv2CjuXhA', 'KGC2Nk9JdK', 'Dispose', 'DJCigZfCn1', 'rktiGNQqGk', 'Xmlina81vl'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, eb9V3neAXbgu8BT8q1.cs	High entropy of concatenated method names: 'NT8slVbb1v', 'GXMsLmCcNp', 'Rgks9MPh15', 'OKusbeJUmR', 'F4Nst4vYVB', 'qojskbDhjc', 'rQtsceC84q', 'IsAsJCkOVT', 'F8rspiCtxK', 'ixHs10y5rw'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, zlQfaGiVo1vyOIYK9G.cs	High entropy of concatenated method names: 'xaonbQUVZJ', 'tUwnk2iGob', 'OsRnJRZM4x', 'bK5npRp9Gf', 'KhanVmvGB0', 'jYUna19kOJ', 'No3nKhUOWU', 'VJtniH53on', 'qisn24PA72', 'gdjnwQ5TMC'
Source: 0.2.nowe zam#U00f3wienie.exe.3764c10.2.raw.unpack, wOrrsjPrWHolM0wGmn.cs	High entropy of concatenated method names: 'TycVySp9CC', 'gGFVUN2B9Y', 'SAOVRIxHe5', 'SMAVEMFATT', 'LeFVxo0FZN', 'lyoVX2FCij', 'U33VoUEWEG', 'gaSV4it5fN', 'jAYVvG4Mj9', 'c0sVMQKltR'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, Rgbey1ZDH0xDi1nnoR.cs	High entropy of concatenated method names: 'dXY2mCPPIn', 'Uls2xPZ4ps', 'qdW2XjZ3PP', 'itf2oLYmVM', 'VN424SwDSI', 'vwm2vPfkMy', 'iRD2MUSJLH', 'cB82fbU5nC', 'ePH2ukJtg7', 'smX2yKAD4U'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, NsXZj6kcLxMu0BCYEr8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wydA23pp4f', 'h8dAwnh7Ho', 'Y12AF9nfi8', 'mDVAAqlIZB', 'LhEACiyiIm', 'RLTA7bprRS', 'eKZAN4xcGU'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, rkdQMMfqrHRXWPW2eb.cs	High entropy of concatenated method names: 'pM03Jnb9PW', 'nwx3p7ohiA', 'T403mR06IP', 'oSn3xyBOet', 'Txw3oNZRbR', 'Yid34IftOh', 'IWV3M33dEs', 'OmZ3f9jsJd', 'rgj3yQEua7', 'Ncc3jHLhP6'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, SrXKfBcrBWwDVwLBw3.cs	High entropy of concatenated method names: 'UGdOs40kEI', 'P2AOBlbsi5', 'OAlOWdBf9H', 'pdnOPH0rhB', 'PX7OVMIPBk', 'RyPOa4ZJua', 'UqkBIuQjPD9ZbWpBeb', 'SHRcmjmD3FrpMtOVVA', 'fEnOO8mdBe', 'e9VOr01Jrn'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, h7nFedkkiBpctoav1Hf.cs	High entropy of concatenated method names: 'lN1wq8boTp', 'WegwziraWd', 'bvMFIWiSH1', 'B0aFO01qCf', 'FXYF0DgNDy', 'l2oFrgppkh', 'IDmFQsxF6u', 'F6EF6Of8qg', 'CkCFg3xUW4', 'k7VFGdC8lv'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, uO0Rj4hIlT83787XOc.cs	High entropy of concatenated method names: 'lCqsglrjid', 'N0wsn8hqu7', 'Lgbse55WJM', 'hm3eqoO7CU', 'cVjezesqOe', 'z8HsI5s10X', 'JnUsO4pEeY', 'uSns09bg2V', 'pSIsr8ym9Q', 'kc4sQT91Z8'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, A3NeQZEGTZa5sHlUcg.cs	High entropy of concatenated method names: 'ToString', 'Ly9ajBYkxC', 'yxZaxmLB5l', 'gHgaXqXUCK', 'FU6aoZB8JM', 'u2Aa4HX7xg', 'KGwavVN6I3', 'vG2aMivBRF', 'bELafcdpIT', 'BbBauveby6'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, rKYX3Yoso1r2Q771np.cs	High entropy of concatenated method names: 'ci9e6aeCwl', 'LNeeGrbsne', 'gkSeTgdbn6', 'i6pesW7J9F', 'KcceB9UmsD', 'fOwTZsPBhf', 'oHNTYprQt0', 'fuXTSe8i1b', 'Y8wTHtIa8c', 'jITTd4lwSQ'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, NDUt9OvZQqvSTsk28h.cs	High entropy of concatenated method names: 'GVHeN1v51K', 'yJ1elhSLAY', 'T9He9eTKFF', 'W6iebvD2s6', 'YoVekJAk5y', 'fLaecVL4O3', 'yi9epnWB7x', 'jnve1uDMyQ', 'fxjIOSlZB0gmVB7qtax', 'uPqr0hlwPZRBNrEpF7e'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, TibK6SaIoA7u2IBDZP.cs	High entropy of concatenated method names: 'UDQwnorVTB', 'tQawTneYSj', 'MgKwey1d3H', 'LG1wscZRYj', 'yiuw2AosTk', 'TpXwB8xqMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, sDEXUFRl2S88gO7MAu.cs	High entropy of concatenated method names: 'QchGRUPgHU', 'TvjGEkMwZG', 'EKYGhrMUFm', 'MptG5XaeQX', 'sRlGZMqI1W', 'or3GYYdEed', 'qoNGSiZfKI', 'cVvGHa5MOV', 'I06GdKc8fd', 'fktGqMk52t'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, saSu8hLSCCSq4dDMGX.cs	High entropy of concatenated method names: 'Uq5KWu5nuU', 'mrqKPLIuU4', 'ToString', 'L2oKgHCxZE', 'ciBKGuPj70', 'n93KnhExdU', 'DRCKTkinEa', 'OheKeUKc1T', 'DCuKsitNq3', 'EDrKBc3Ik0'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, xkIOlu4ZbcqC0SILHX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XdD0dB8MKU', 'o220qgUTPb', 'xRH0zTOTKG', 'LrhrIpN1Se', 'QAUrOJmKHG', 'MsRr09aLTq', 'v1urrN16GB', 'jr3gc99dGHKYdXBFlkt'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, niENrkpuxYr7eXZ2uR.cs	High entropy of concatenated method names: 'NTUr6I5sp2', 'ASirgTnih5', 'tZIrGySenK', 'biErnd1L3Y', 'VMSrT4yC2l', 'tnGreoIKjU', 'j24rsYNKof', 'jkNrBlS5jQ', 'nqRrD9YDP9', 'BlUrWTT206'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, kNH5SwlEGI0QD7Oerv.cs	High entropy of concatenated method names: 'CZYKHqsEyy', 'T3AKq8ZTSt', 'gpBiIStGWU', 'ytGiOAsqlo', 'dMhKjN3WN7', 'kpAKUlxaVu', 'p0oK8okC1y', 'i27KRm0mUi', 'SwbKEZ5p1d', 'jNAKhu2lXL'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, fSZ9dokHSwe7dMPuMwK.cs	High entropy of concatenated method names: 'NqcFqgdxpq', 'vGeFzDITi7', 'nCsAI6PqjF', 'NdnRKRL2biTGv9uif4Y', 'jBglYwLD185QwOFAngI', 'rJavsiLdQNOftxlUcZJ', 'kyBBK5L0aMD88TFeRpT'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, vgtcTwO6ZFcXjUlHfT.cs	High entropy of concatenated method names: 'HA1TtMrjOH', 'HSJTcr1vXB', 'bpFnXqtXoE', 'Y3Eno2DLIA', 'ghCn4Jvi92', 'th1nvIPqeV', 'U39nMsuFPv', 'xOknfbXR5l', 'KbfnuA2EsL', 'PVYnypOZXO'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, jbiaLRsKr91fvV4MHZ.cs	High entropy of concatenated method names: 'Dispose', 'vCsOdaQtnh', 'w1T0xZYA8r', 'VrjAZxjBm1', 'EOEOqJwxuJ', 'S2SOzqniGh', 'ProcessDialogKey', 'ab30IbHv72', 'ohk0O3efYj', 'Gvr00hGh51'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, tQH6LPzge7uFZht7qt.cs	High entropy of concatenated method names: 'TcPwkvN83r', 'fULwJc6uYH', 'aQpwp0qwtU', 'r5owmSwsCA', 'HsDwxLuJsa', 'WH7woFo6O2', 'lPbw45ymcY', 'oBGwNpRJKv', 'ifhwlq0ow8', 'DVrwLpTqkJ'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, htq5kMkqVhKSMVyqW9b.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ql3wjrbXFo', 'IY1wUVL8hN', 'QOgw8GOA4A', 'IUbwRdT7VO', 'SVhwERfygB', 'jQnwhqkpGj', 'dT3w5iQJTw'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, mLXuhj8rDoVGB4YJk3.cs	High entropy of concatenated method names: 'ytE99i3Ys', 'rJpb5mjlh', 'p14kNF6Nx', 'QE9ce4xu6', 'cKLp6PsR6', 'IaJ1OrrdO', 'IK5RXpedtiI6E9yZ9D', 'lCHJih3afyU9dIna8G', 'txJiUgt0W', 'btRwS2tWo'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, E0YtI8Xv7FwcOkidBR.cs	High entropy of concatenated method names: 'UiR2Vt562v', 'Wq12KS3EY6', 'usi22iuNrB', 'ycG2FpmWmQ', 'gQv2CjuXhA', 'KGC2Nk9JdK', 'Dispose', 'DJCigZfCn1', 'rktiGNQqGk', 'Xmlina81vl'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, eb9V3neAXbgu8BT8q1.cs	High entropy of concatenated method names: 'NT8slVbb1v', 'GXMsLmCcNp', 'Rgks9MPh15', 'OKusbeJUmR', 'F4Nst4vYVB', 'qojskbDhjc', 'rQtsceC84q', 'IsAsJCkOVT', 'F8rspiCtxK', 'ixHs10y5rw'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, zlQfaGiVo1vyOIYK9G.cs	High entropy of concatenated method names: 'xaonbQUVZJ', 'tUwnk2iGob', 'OsRnJRZM4x', 'bK5npRp9Gf', 'KhanVmvGB0', 'jYUna19kOJ', 'No3nKhUOWU', 'VJtniH53on', 'qisn24PA72', 'gdjnwQ5TMC'
Source: 0.2.nowe zam#U00f3wienie.exe.8470000.5.raw.unpack, wOrrsjPrWHolM0wGmn.cs	High entropy of concatenated method names: 'TycVySp9CC', 'gGFVUN2B9Y', 'SAOVRIxHe5', 'SMAVEMFATT', 'LeFVxo0FZN', 'lyoVX2FCij', 'U33VoUEWEG', 'gaSV4it5fN', 'jAYVvG4Mj9', 'c0sVMQKltR'

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

File created: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: 810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: 85E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: 95E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: 97F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: A7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: 8D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: 9D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2D40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6427	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8393	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 389

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 6427 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep count: 191 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7424	Thread sleep count: 219 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7576	Thread sleep count: 169 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8124	Thread sleep count: 389 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 0000000D.00000002.2949045307.0000000001218000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: MSBuild.exe, 00000008.00000002.2948796535.0000000000F36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe"
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C73008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 424000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F4E008	Jump to behavior

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Queries volume information: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\nowe zam#U00f3wienie.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8180, type: MEMORYSTR

Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35e7da0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nowe zam#U00f3wienie.exe.35c7380.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nowe zam#U00f3wienie.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8180, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nowe zam#U00f3wienie.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Strictor
nowe zam#U00f3wienie.exe	45%	Virustotal		Browse
nowe zam#U00f3wienie.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Strictor
C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe	45%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	MSBuild.exe, 00000008.00000002.2952175498.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2952175498.0000000002E9B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources	nowe zam#U00f3wienie.exe, fUamrQdFSPAg.exe.0.dr	false	high
http://www.carterandcone.coml	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/	MSBuild.exe, 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	nowe zam#U00f3wienie.exe, 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	MSBuild.exe, 00000008.00000002.2952175498.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nowe zam#U00f3wienie.exe, 00000000.00000002.1749044667.0000000002551000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, fUamrQdFSPAg.exe, 00000009.00000002.1779154692.0000000003284000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	nowe zam#U00f3wienie.exe, 00000000.00000002.1751361094.0000000006662000.00000004.00000800.00020000.00000000.sdmp, nowe zam#U00f3wienie.exe, 00000000.00000002.1751306016.0000000004F40000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	nowe zam#U00f3wienie.exe, 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
193.122.6.168	unknown	United States	31898	ORACLE-BMC-31898US	false
193.122.130.0	unknown	United States	31898	ORACLE-BMC-31898US	false
158.101.44.242	unknown	United States	31898	ORACLE-BMC-31898US	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558236
Start date and time:	2024-11-19 08:45:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nowe zam#U00f3wienie.exe renamed because original name is a hash value
Original Sample Name:	nowe zamwienie.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/21@1/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 219 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.175.87.197, 40.126.32.72, 40.126.32.133, 40.126.32.138, 40.126.32.140, 20.190.160.22, 40.126.32.136, 20.190.160.14, 40.126.32.76
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 7852 because it is empty
Execution Graph export aborted for target MSBuild.exe, PID 8180 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:46:04	API Interceptor	2x Sleep call for process: nowe zam#U00f3wienie.exe modified
02:46:05	API Interceptor	27x Sleep call for process: powershell.exe modified
02:46:07	API Interceptor	2x Sleep call for process: fUamrQdFSPAg.exe modified
07:46:06	Task Scheduler	Run new task: fUamrQdFSPAg path: C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z25Solicituddecotizacion.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Transaction_copy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DHL Delivery Invoice.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Bank Swift Copy 2.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	#U304a#U898b#U7a4d#U4f9d#U983c#U3001_20241113.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FIZETESI.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
193.122.6.168	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	DHL Packing list.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Enclosed Offer.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RE Invoice Request (Nov 2024).exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Solicitud de cotizacion Stro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Aral#U0131k PO# IRON-TE-18024 _323282-_563028621286 pdf .exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	0aA7F59xDl.exe	Get hash	malicious	Lokibot	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	WordPicture.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
bg.microsoft.map.fastly.net	PHA AL PO.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	RFQ-378093.vbs	Get hash	malicious	Unknown	Browse	199.232.210.172
	BOMB-762.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	Reminder_ Modifications to Employee Benefits Scheme & Salary Enhancement for Approval.pdf.eml	Get hash	malicious	Unknown	Browse	199.232.210.172
	Zoom.exe	Get hash	malicious	PureCrypter, MicroClip	Browse	199.232.210.172
	Buyer Information.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	________.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	ADZP 20 Complex.exe	Get hash	malicious	Babadeda, Wiper	Browse	199.232.210.172
	Statement_of_account.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.232.214.172
	DRP130636747.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	BOMB-762.msi	Get hash	malicious	AteraAgent	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://website-70396.convertflowpages.com/firstmarkinsurance	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	http://tayakay.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	ADZP 20 Complex.exe	Get hash	malicious	Babadeda, Wiper	Browse	192.229.221.95
	Discord_updater_rCURRENT.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	KKXT7bY8bG.exe	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	rPO_1079021908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	owari.arm7.elf	Get hash	malicious	Mirai	Browse	129.146.156.151
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
UTMEMUS	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Kayla Dennis CV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	New Order_20241711.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Pedido_335_20241112_614171.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	01831899-1 FDMS3008SDC.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PO NO170300999.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
ORACLE-BMC-31898US	rPO_1079021908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	owari.arm7.elf	Get hash	malicious	Mirai	Browse	129.146.156.151
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
ORACLE-BMC-31898US	rPO_1079021908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	owari.arm7.elf	Get hash	malicious	Mirai	Browse	129.146.156.151
	P.O 423737.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PROFORMA + PENDENTES.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z30ProofofPaymentAttached.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Fac.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Nov 19 07:47:46 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	271514
Entropy (8bit):	3.7321109053021058
Encrypted:	false
SSDEEP:	3072:wqUiGGirRP4yN6qe4uEqB7GZ3cHnG4LTgstJeh:wpXJ4ybe47cHjTgs8
MD5:	8A8015715CD3F5FFCA161DE04A61022E
SHA1:	FE1E757061998F622E0DAEB1F5E84F16C3872C4F
SHA-256:	4EE30C2C4F2FCA58A4DB92FFB03C72E907454945B831990493EC6291BF024EB1
SHA-512:	D923FEB0854D147170CD87E2E655A044E7E09FE8F76B577D4BA7725EBAC1FF682272774254BDFAC9A16F5D84E184CE7E513D544799FE48395D28BBA7F5FBAC49
Malicious:	false
Preview:	MDMP..a..... ........B<g............D...............X.......<....#.......%...S..........`.......8...........T...........(=..r...........,$...........&..............................................................................eJ.......&......GenuineIntel............T...........=B<g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90E7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6320
Entropy (8bit):	3.7261343565631937
Encrypted:	false
SSDEEP:	192:R6l7wVeJ5jO6I/PeYa40Bprt89bJXsfNjm:R6lXJtO6RYa40GJcf0
MD5:	8E021D605556E0626DF71D5E603EAB85
SHA1:	B64D436A389FD6BF91BC195B1A03933A56E178BA
SHA-256:	69C7CE4B8059EE907A70AFE111B4ECBAD2F4BEA36D00B1BECAFE7DE9760C7DAD
SHA-512:	4F3791C4B981E00ED9DC0F9375ACF0706B74814FDC948CCF6DD4BDB38A36EB10839BFB118782427A8C02EDB6F6334C691A23F088D1462EE036338C9BC7881A03
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9117.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.48629782361212
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9R2WpW8VY6Ym8M4JQjF+o+q8IxxmLDwMgd:uIjfZI77X7VGJtoBmLLgd
MD5:	0DF4FF31A18995BE74933C382E396313
SHA1:	5E8AD73DDA1C22661822F0606A77E99F0919496C
SHA-256:	8BF0AC128A43658245F0384A415B944CCD80E8AF74349181343D357E4A5C9AE5
SHA-512:	2DF430C0DA8232330427895A4314489D1842BEEACE992170DC196745E426E997430AD77C23985CD2000BFAA3D18468F9325A9494F931CEF7947788FD0515AEC0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594650" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99BF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Nov 19 07:47:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	263744
Entropy (8bit):	3.819890512335702
Encrypted:	false
SSDEEP:	3072:AfbxDwSfjJX7eLtyb4uEqdykzyLTgcFSmfxJ:AfbNXotyb4tAgTgbmf
MD5:	DF2D6DFC64B0E39282246C5EA985895F
SHA1:	CF7DCA31D72037875721A419696DA8CE65A83B8F
SHA-256:	41560DFB877DC8A64F8E2D7C42209ECD0ACF7BF27F21802B5136F3E3A11847C7
SHA-512:	D679424E44CEA7B7D660A31E49F1BA2B25DF20A09EEC4F4A18B6F881079EDAD693ADFD5F370716374FBA9F65E3B654DEEC3AEBCA365827D74CF53B11A3658D65
Malicious:	false
Preview:	MDMP..a..... ........B<g............................(.......T....#......D%..NP..........`.......8...........T...........P=...............$...........&..............................................................................eJ.......&......GenuineIntel............T...........@B<g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B37.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6320
Entropy (8bit):	3.7261371279746824
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbQjy6KYa4xuQE/1VW45aM4UG89bXDsfz0Q9m:R6l7wVeJQjy6KYa40BprG89bXDsfN9m
MD5:	396BB198E69E412F05CAC81FBB2AB6B0
SHA1:	521CF4B8BB7B9B807AD51BCE2A7BA85EA5331353
SHA-256:	58F865A3923B0EC927E22284ABCBCD21BE6EF5F418F6E35A33F5F47B0E8991C1
SHA-512:	402067922BEC964658A133F9D7D95A57BFDDB8D6EAB2F072D2A5886F21C5267D9982F51933EEB773AC48545C6D82BA6F5F6557A1536200B99E6AD6CCD5A949B7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B77.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.487049025702949
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9R2WpW8VY+Ym8M4JQjFO+q8Iz3mL5d:uIjfZI77X7VOJJVmL5d
MD5:	6A769D00987F9225992B6FFEADE1FA2B
SHA1:	2441497E2C385914F439994CDB61FE87B5174D60
SHA-256:	D6F2DBD469C0CBC4DC6A90CBE9202ABD8EB9A688ADB0C47C6FCBCF5BF2A2B029
SHA-512:	B61EAEE9DD4227789B75870D5970DAAB94239C6488E12DA67512CCEE84EDBDEFB7587BB5E4B622B704F0366893FAD08B931D622349ECEA29FDD963EC3A44A85C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594650" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fUamrQdFSPAg.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nowe zam#U00f3wienie.exe.log

Download File

Process:	C:\Users\user\Desktop\nowe zam#U00f3wienie.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZuUyus:lGLHyIFKL3IZ2KRH9OugIs
MD5:	BDD09CBB32C10FB4A1F2AE5BD07F8398
SHA1:	277BE9ABBB4636921F85A791FEDE0B63593982F5
SHA-256:	EB53484ADA20D019143576C17A35241680EFD13FA9042F9ACFE540DED58834B3
SHA-512:	3F13F2A988D73901ED720344493BE33672BA29A3B78A167F53F429B2132EE0A8C7B63ACB65437512D41F474A6A3D028EC4CE4718B126AE7B67B8811CDD8F67C1
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tjvzgyz.32y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj2gwolf.n1w.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gziroowc.esv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxxar0jn.iro.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psp0fd04.24h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2bdyvxf.ehs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbmunj44.ph3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1wu0u1r.54j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp

Download File

Process:	C:\Users\user\Desktop\nowe zam#U00f3wienie.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.113130718491567
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaoZ5xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTB1v
MD5:	C15C91E75D85034C1338C78B1F3CA9A8
SHA1:	DB0DDA2DFFBE2C9E82BB7BDCDF5A4FD243BD273C
SHA-256:	69185C97D6F6272F4E26A354DCFA4B7EA7A7C1A0A043FB6E92E6FF6FE874CC18
SHA-512:	9C2799951661F96159230F2FC994BB1C2D3A090FC6EFB8832F77DA858294139CABAB3137E0960CDE75B3823E06D4C8828214E90BC18A5F7A5CC8FFDA457E8EFC
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp6A86.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.113130718491567
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaoZ5xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTB1v
MD5:	C15C91E75D85034C1338C78B1F3CA9A8
SHA1:	DB0DDA2DFFBE2C9E82BB7BDCDF5A4FD243BD273C
SHA-256:	69185C97D6F6272F4E26A354DCFA4B7EA7A7C1A0A043FB6E92E6FF6FE874CC18
SHA-512:	9C2799951661F96159230F2FC994BB1C2D3A090FC6EFB8832F77DA858294139CABAB3137E0960CDE75B3823E06D4C8828214E90BC18A5F7A5CC8FFDA457E8EFC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe

Download File

Process:	C:\Users\user\Desktop\nowe zam#U00f3wienie.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	561152
Entropy (8bit):	7.91456807975491
Encrypted:	false
SSDEEP:	12288:HD7go7VIG3k0MOdkrUC85KbIvXP5LWNSRwHbn+EgXkCkyg:HDEo7V/F5daB5bIvf5LiHb+xkCkn
MD5:	8148BBDCBEC9DD84BDF7089FAE43CE62
SHA1:	58CBAB87C2CBBE8C54F88089D33526409732F6AD
SHA-256:	6F5C8E04089A2DB3AAA4D9447DE589E5DF8899292FBC70A5AD852D7ABC7F174E
SHA-512:	5384F00AA68195C0954DFFFE7E23C5761A1C5E1673AB89908DFE0F2F29CD80FDD3D4F10EFFFEEABC1D7A55F8D6C617B553223C42CE2D5EAAF71A47659D9384FE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37% Antivirus: Virustotal, Detection: 45%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t&<g..............0..r..........N.... ........@.. ....................................@.....................................O....................................o..T............................................ ............... ..H............text...Tq... ...r.................. ..`.rsrc................t..............@..@.reloc..............................@..B........................H........}...O......i...................................................0..$..........s......s.....s ......o!...&..+...0..)........s\....s.......o[...s......o".......+.......0..+........s\....r...p.(#......o[...s......o$....+....0..0........s\....rC..p.r...p(%......o[...s......o$....+...0...........s\.......O...%.r...p.%...%.r...p.%...%.r...p.%....%.r!..p.%....%.r;..p.%.....%..rU..p.%.....%..ry..p.%....%..r...p.(&......o[...s.......o$...&r...p('...&......o(...('...&...*.

C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\nowe zam#U00f3wienie.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.91456807975491
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	nowe zam#U00f3wienie.exe
File size:	561'152 bytes
MD5:	8148bbdcbec9dd84bdf7089fae43ce62
SHA1:	58cbab87c2cbbe8c54f88089d33526409732f6ad
SHA256:	6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e
SHA512:	5384f00aa68195c0954dfffe7e23c5761a1c5e1673ab89908dfe0f2f29cd80fdd3d4f10efffeeabc1d7a55f8d6c617b553223c42ce2d5eaaf71a47659d9384fe
SSDEEP:	12288:HD7go7VIG3k0MOdkrUC85KbIvXP5LWNSRwHbn+EgXkCkyg:HDEo7V/F5daB5bIvf5LiHb+xkCkn
TLSH:	51C4120022EC8BE7D47C5BF22562A11023F67C6F7539F6586EC231DE1A7AF4045A1B57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t&<g..............0..r..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	26b6dac84c6c3e03

Static PE Info

General

Entrypoint:	0x48914e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673C2674 [Tue Nov 19 05:47:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x890fa	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x18ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x86ff8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87154	0x87200	ed86ef94b7cf584c97ec40e5f50f3580	False	0.9466675820999075	data	7.933853621322833	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x18ec	0x1a00	25bb0f1cd87cc8698bb8f3d02df9f807	False	0.4636418269230769	data	4.831634804197998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	53af845dc1cd6a6d1c107e2c5ca7eadc	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8a130	0x1200	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4939236111111111
RT_GROUP_ICON	0x8b330	0x14	data	1.0
RT_VERSION	0x8b344	0x3bc	data	0.4121338912133891
RT_MANIFEST	0x8b700	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 08:46:00.900211096 CET	49736	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:46:00.900301933 CET	443	49736	20.223.35.26	192.168.2.4
Nov 19, 2024 08:46:00.900367022 CET	49737	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:46:00.900454044 CET	443	49737	20.223.35.26	192.168.2.4
Nov 19, 2024 08:46:00.900527000 CET	49737	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:46:00.900609016 CET	49736	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:46:00.902522087 CET	49736	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:46:00.902584076 CET	49737	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:46:00.902594090 CET	443	49736	20.223.35.26	192.168.2.4
Nov 19, 2024 08:46:00.902672052 CET	443	49737	20.223.35.26	192.168.2.4
Nov 19, 2024 08:46:02.824563026 CET	49738	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:03.835032940 CET	49738	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:05.850698948 CET	49738	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:06.553802013 CET	49675	443	192.168.2.4	173.222.162.32
Nov 19, 2024 08:46:06.768704891 CET	49741	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:07.772576094 CET	49741	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:09.500175953 CET	49744	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:09.772571087 CET	49741	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:09.975732088 CET	49738	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:10.678838015 CET	49744	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:12.678839922 CET	49744	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:13.773730993 CET	49741	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:16.694506884 CET	49744	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:17.975756884 CET	49738	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:18.084928036 CET	49672	443	192.168.2.4	173.222.162.32
Nov 19, 2024 08:46:18.084975958 CET	443	49672	173.222.162.32	192.168.2.4
Nov 19, 2024 08:46:21.788269043 CET	49741	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:23.976188898 CET	49746	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:46:24.710283995 CET	49744	80	192.168.2.4	132.226.247.73
Nov 19, 2024 08:46:24.991549969 CET	49746	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:46:27.007292986 CET	49746	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:46:27.807440996 CET	49741	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:28.803961992 CET	49741	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:30.713393927 CET	49744	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:30.803966999 CET	49741	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:31.022716045 CET	49746	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:46:31.725878954 CET	49744	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:33.725857973 CET	49744	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:34.819618940 CET	49741	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:37.725891113 CET	49744	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:39.038399935 CET	49746	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:46:42.819700956 CET	49741	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:45.044876099 CET	49747	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:45.728025913 CET	49744	80	192.168.2.4	193.122.6.168
Nov 19, 2024 08:46:46.054099083 CET	49747	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:48.069773912 CET	49747	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:48.820194006 CET	49741	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:49.819755077 CET	49741	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:51.742095947 CET	49744	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:51.819834948 CET	49741	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:52.069761038 CET	49747	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:46:52.757237911 CET	49744	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:54.773009062 CET	49744	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:55.819765091 CET	49741	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:46:58.788564920 CET	49744	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:47:00.085421085 CET	49747	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:47:00.631057978 CET	49748	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:00.631145954 CET	443	49748	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:00.631244898 CET	49748	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:00.631580114 CET	49748	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:00.631617069 CET	443	49748	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:03.819864988 CET	49741	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:47:06.085814953 CET	49749	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:06.804362059 CET	49744	80	192.168.2.4	132.226.8.169
Nov 19, 2024 08:47:07.101145983 CET	49749	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:09.101106882 CET	49749	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:09.820350885 CET	49741	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:10.835593939 CET	49741	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:12.820365906 CET	49744	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:12.851301908 CET	49741	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:13.101305962 CET	49749	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:13.820063114 CET	49744	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:15.820080996 CET	49744	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:16.851160049 CET	49741	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:19.819981098 CET	49744	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:21.101190090 CET	49749	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:21.805275917 CET	49748	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.812285900 CET	49750	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.812369108 CET	443	49750	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.812470913 CET	49750	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.813043118 CET	49751	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.813091040 CET	49750	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.813123941 CET	443	49751	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.813127995 CET	443	49750	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.813230991 CET	49751	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.813397884 CET	49751	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.813433886 CET	443	49751	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.814943075 CET	49752	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.814970970 CET	443	49752	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.815011978 CET	49752	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.815571070 CET	49752	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.815583944 CET	443	49752	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.815908909 CET	49753	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.815975904 CET	443	49753	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.816052914 CET	49753	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.816687107 CET	49754	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.816695929 CET	443	49754	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.816730976 CET	49753	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.816746950 CET	49754	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.816768885 CET	443	49753	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:21.816889048 CET	49754	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:21.816894054 CET	443	49754	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:24.851252079 CET	49741	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:27.137222052 CET	49755	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:27.820019007 CET	49744	80	192.168.2.4	193.122.130.0
Nov 19, 2024 08:47:28.148133993 CET	49755	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:30.148137093 CET	49755	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:30.872956991 CET	49741	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:31.882533073 CET	49741	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:33.836184978 CET	49744	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:33.898296118 CET	49741	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:34.148173094 CET	49755	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:34.835740089 CET	49744	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:36.835716963 CET	49744	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:37.898210049 CET	49741	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:40.851356983 CET	49744	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:41.804615974 CET	49750	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.804630995 CET	49751	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.804646969 CET	49752	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.804749012 CET	49753	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.805274963 CET	49754	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.807686090 CET	49757	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.807725906 CET	443	49757	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.807935953 CET	49758	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.807974100 CET	49757	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.807985067 CET	443	49758	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.808043957 CET	49759	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.808056116 CET	443	49759	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.808069944 CET	49758	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.808099031 CET	49759	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.808290958 CET	49758	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.808309078 CET	443	49758	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.809211016 CET	49760	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809294939 CET	443	49760	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.809357882 CET	49757	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809377909 CET	443	49757	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.809405088 CET	49760	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809447050 CET	49761	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809472084 CET	443	49761	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.809525013 CET	49761	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809570074 CET	49759	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809583902 CET	443	49759	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.809675932 CET	49761	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809690952 CET	443	49761	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:41.809777975 CET	49760	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:47:41.809812069 CET	443	49760	13.107.246.45	192.168.2.4
Nov 19, 2024 08:47:42.148315907 CET	49755	80	192.168.2.4	199.232.214.172
Nov 19, 2024 08:47:45.913855076 CET	49741	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:48.161916018 CET	49762	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:47:48.255614996 CET	49763	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:47:48.255675077 CET	443	49763	20.223.35.26	192.168.2.4
Nov 19, 2024 08:47:48.255765915 CET	49763	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:47:48.260633945 CET	49763	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:47:48.260667086 CET	443	49763	20.223.35.26	192.168.2.4
Nov 19, 2024 08:47:48.264908075 CET	49764	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:47:48.264928102 CET	443	49764	20.223.35.26	192.168.2.4
Nov 19, 2024 08:47:48.264985085 CET	49764	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:47:48.265470982 CET	49764	443	192.168.2.4	20.223.35.26
Nov 19, 2024 08:47:48.265487909 CET	443	49764	20.223.35.26	192.168.2.4
Nov 19, 2024 08:47:48.851407051 CET	49744	80	192.168.2.4	158.101.44.242
Nov 19, 2024 08:47:49.163892031 CET	49762	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:47:51.163889885 CET	49762	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:47:55.179578066 CET	49762	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:48:01.871011019 CET	49758	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:48:01.871068954 CET	49757	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:48:01.871089935 CET	49759	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:48:01.871117115 CET	49761	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:48:01.871146917 CET	49760	443	192.168.2.4	13.107.246.45
Nov 19, 2024 08:48:03.179660082 CET	49762	80	192.168.2.4	199.232.210.172
Nov 19, 2024 08:48:09.197927952 CET	49765	80	192.168.2.4	192.229.221.95
Nov 19, 2024 08:48:10.195277929 CET	49765	80	192.168.2.4	192.229.221.95

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 08:46:06.753072977 CET	50092	53	192.168.2.4	1.1.1.1
Nov 19, 2024 08:46:06.759979963 CET	53	50092	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 08:46:06.753072977 CET	192.168.2.4	1.1.1.1	0xc2b0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 08:46:02.823359966 CET	1.1.1.1	192.168.2.4	0x702b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:46:02.823359966 CET	1.1.1.1	192.168.2.4	0x702b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:46:06.759979963 CET	1.1.1.1	192.168.2.4	0xc2b0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 08:46:06.759979963 CET	1.1.1.1	192.168.2.4	0xc2b0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:46:06.759979963 CET	1.1.1.1	192.168.2.4	0xc2b0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:46:06.759979963 CET	1.1.1.1	192.168.2.4	0xc2b0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:46:06.759979963 CET	1.1.1.1	192.168.2.4	0xc2b0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:46:06.759979963 CET	1.1.1.1	192.168.2.4	0xc2b0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:47:00.630244970 CET	1.1.1.1	192.168.2.4	0xbf72	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 08:47:00.630244970 CET	1.1.1.1	192.168.2.4	0xbf72	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:47:27.136503935 CET	1.1.1.1	192.168.2.4	0x13b2	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:47:27.136503935 CET	1.1.1.1	192.168.2.4	0x13b2	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 19, 2024 08:48:09.194744110 CET	1.1.1.1	192.168.2.4	0xeb22	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 08:48:09.194744110 CET	1.1.1.1	192.168.2.4	0xeb22	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:46:03
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\nowe zam#U00f3wienie.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"
Imagebase:	0x120000
File size:	561'152 bytes
MD5 hash:	8148BBDCBEC9DD84BDF7089FAE43CE62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1749511432.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nowe zam#U00f3wienie.exe"
Imagebase:	0xa40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe"
Imagebase:	0xa40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp5F3C.tmp"
Imagebase:	0xa0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:46:05
Start date:	19/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xa60000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.2947749407.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2952175498.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:46:06
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fUamrQdFSPAg.exe
Imagebase:	0xdd0000
File size:	561'152 bytes
MD5 hash:	8148BBDCBEC9DD84BDF7089FAE43CE62
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs Detection: 45%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:46:07
Start date:	19/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:46:08
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fUamrQdFSPAg" /XML "C:\Users\user\AppData\Local\Temp\tmp6A86.tmp"
Imagebase:	0xa0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:46:08
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:46:08
Start date:	19/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xbd0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.2951844433.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	02:47:46
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 1556
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	02:47:49
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 1560
Imagebase:	0x650000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	176
Total number of Limit Nodes:	10

Executed Functions

Function 06EE34B8 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

poq, xrefs: 06EE393D
4'kq, xrefs: 06EE3874
~, xrefs: 06EE36D6
:, xrefs: 06EE3737

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: 4'kq$:$poq$~
API String ID: 0-3551392484
Opcode ID: 4c3305b5bfa5ebe35758a07ee9917728a9f0dfb6698689aab1364908e7d50820
Instruction ID: c1e58de3549d129eee55c3c4ae05139d330bdcb9f7490773b33bc31286c48007
Opcode Fuzzy Hash: 4c3305b5bfa5ebe35758a07ee9917728a9f0dfb6698689aab1364908e7d50820
Instruction Fuzzy Hash: 0F420275A00228DFDB55CFA9C940B99BBB2FF48304F1580E9E509AB261D731ED91DF50

Function 06EE2106 Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 06EE210B

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 7d8142113380b24632e64ff20719bcc679b6bbbd34707e71f7f9c61c7da63584
Instruction ID: eb615ed346052192fdca4ea8b38b091e08c587d0e81e21aebc0f61134ea85aba
Opcode Fuzzy Hash: 7d8142113380b24632e64ff20719bcc679b6bbbd34707e71f7f9c61c7da63584
Instruction Fuzzy Hash: 5E52A774A002289FCB64DF64D998A99B7B6FF89300F1045E9D50EA73A5CB35AE81CF50

Function 06FD6568 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17317f029fb68b6a88266757019de1e0fa259cb24e0887bb4fde8dcb0d11e229
Instruction ID: 77d22aa3faccb2ab92f0d7fb2b0287a8c0ddac7a93b27ec13f6c33eabc68b6d1
Opcode Fuzzy Hash: 17317f029fb68b6a88266757019de1e0fa259cb24e0887bb4fde8dcb0d11e229
Instruction Fuzzy Hash: DDE1DB31B017048FDB69DB69C850BAEB7FBAF89300F184469E14ADB391DB35E941CB52

Function 06FD2198 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c602e44a2c515d64ec4aeef0dd483b917d051d389564547c669e6dd6427c88
Instruction ID: 519fb26498e8f164f61fd817264f9f91d9786b3cda70e6e8298d55e5bdb3d8a8
Opcode Fuzzy Hash: 78c602e44a2c515d64ec4aeef0dd483b917d051d389564547c669e6dd6427c88
Instruction Fuzzy Hash: 10417F75D09208CFEB54CFA6D5456EDBBFABF4E300F18A025D109A3254EB346646CF80

Function 06EEBD18 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad91af934605d392070b4e1d8feafd6433ea2f8b9b32f23ee1893bb48ddf3290
Instruction ID: 1b17d216cb7d074082337069b7d931c2567667af4e29f20b9643e7f4592d7249
Opcode Fuzzy Hash: ad91af934605d392070b4e1d8feafd6433ea2f8b9b32f23ee1893bb48ddf3290
Instruction Fuzzy Hash: AB211AB1D046589BEB58CFA7C8453DEBFF7AFC9300F14D06AD409A6264EB7509468F90

Function 06FD491D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f21fd12ba5bfeda40ec3b772fcd0203e1b006460ffcd7c8d563a89e95bd6869
Instruction ID: a588b04663a70de7450d9a104fce43c41d7fc8bcb8fa8e32530e4406e60de073
Opcode Fuzzy Hash: 9f21fd12ba5bfeda40ec3b772fcd0203e1b006460ffcd7c8d563a89e95bd6869
Instruction Fuzzy Hash: 8ED09E7590C144DFD7A0DF54D4855B8B7BDBB0A300F442155D40DA32A1D730A9C18E84

Function 06EE2C38 Relevance: 7.9, Strings: 6, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4|pq, xrefs: 06EE2E43
4|pq, xrefs: 06EE2E28
4'kq, xrefs: 06EE2CAE
4'kq, xrefs: 06EE2C53
$kq, xrefs: 06EE2D00
4'kq, xrefs: 06EE2CDE

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq$4|pq$4|pq$$kq
API String ID: 0-377471079
Opcode ID: b787fc8c7894b9d1814bf838afed0c17ac257d3dbace76dd56900da796d9ccf7
Instruction ID: 080000141888d2b27e41359bd9090b9839a700db66ffb5acb1a582584cf60a2a
Opcode Fuzzy Hash: b787fc8c7894b9d1814bf838afed0c17ac257d3dbace76dd56900da796d9ccf7
Instruction Fuzzy Hash: 80E1F130B002158FCB69DF79D8545AE7BEABF89310B255469E506DB3A1EF34CD42CB90

Function 0081CFF1 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0081D07E
GetCurrentThread.KERNEL32 ref: 0081D0BB
GetCurrentProcess.KERNEL32 ref: 0081D0F8
GetCurrentThreadId.KERNEL32 ref: 0081D151

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4639ad2daa7991eef0c57b91803a5708270750bd9f3f8b3dd8889dee377ce1b5
Instruction ID: 74890eec5089228880cbd1c927fda614db4d1904eae9577f2f49cbaa2271c5e1
Opcode Fuzzy Hash: 4639ad2daa7991eef0c57b91803a5708270750bd9f3f8b3dd8889dee377ce1b5
Instruction Fuzzy Hash: 4A5153B09007498FDB14CFA9D548BDEBBF5EF48304F208059E449A73A0DB759984CB65

Function 0081D000 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0081D07E
GetCurrentThread.KERNEL32 ref: 0081D0BB
GetCurrentProcess.KERNEL32 ref: 0081D0F8
GetCurrentThreadId.KERNEL32 ref: 0081D151

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f667f921bdb62132d294108fc47ad469cb604d953e0e2c7688e14110f4fdd00a
Instruction ID: 23a7710c8fb498ec473be3f67ea4cb41206887f7a220727fa7147974eec74747
Opcode Fuzzy Hash: f667f921bdb62132d294108fc47ad469cb604d953e0e2c7688e14110f4fdd00a
Instruction Fuzzy Hash: 1F5142B09007498FDB14CFA9D948BDEBBF5EF48314F208029E459A73A0DB759984CF65

Function 06FD1534 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FD1776

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f9a74cb49bdb87ab90f5153b3eee0e1a884f705f8457d7b3ac75b022aaece93d
Instruction ID: c0445add7b38967207ff423c651977e05a03963e3d3c66f8a306c3638356fb54
Opcode Fuzzy Hash: f9a74cb49bdb87ab90f5153b3eee0e1a884f705f8457d7b3ac75b022aaece93d
Instruction Fuzzy Hash: 2AA16D71D00219DFDB50DFA8C841BDDBBB2FF49310F1885A9E809A7294DB74A985CF91

Function 06FD1540 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FD1776

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e06888317170e19913081a73aa1e4e396016a9d9bef335d9db2ef567203f9403
Instruction ID: d08c3814b8198b152a2f85ed56264c036ebb69f923e33634c5879f842fd285d2
Opcode Fuzzy Hash: e06888317170e19913081a73aa1e4e396016a9d9bef335d9db2ef567203f9403
Instruction Fuzzy Hash: F3916B71D00219DFDB60DFA8C841BEDBBB2FF49310F1885A9E809A7254DB74A985CF91

Function 0081AD68 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0081AFBE

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ad9a1138d3af6da46f2112ee27ded4a08227162ac08f513100e2ef79c2b2486f
Instruction ID: f414401f2fb7a7f745f8033897993f4b0de8d06f01eb00c387641440a212c852
Opcode Fuzzy Hash: ad9a1138d3af6da46f2112ee27ded4a08227162ac08f513100e2ef79c2b2486f
Instruction Fuzzy Hash: 3E713470A01B058FD728DF29D04079ABBF5FF88304F00892DD48AD7A50DB74E989CB92

Function 0081590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008159C9

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 09bffe6dca8d33b09454e3651df1bfa667c65e45197137878ea4dc08f8bf3671
Instruction ID: 8e2260d7648bcf960bd19a8f54675df0094915e471d743d83a17110038f36c72
Opcode Fuzzy Hash: 09bffe6dca8d33b09454e3651df1bfa667c65e45197137878ea4dc08f8bf3671
Instruction Fuzzy Hash: 0741F4B0C00759CFDB25DFA9C844BCDBBB5BF49304F24819AD408AB255DB756985CF90

Function 008144B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008159C9

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 65c9d68f879cdf532e214d2a18511d7025087f3a3be1b36821c35117cd0144ff
Instruction ID: 0b9324c30163d49814c7dfd5e86f60fee0f7394e000129d60b4d14927e4fd966
Opcode Fuzzy Hash: 65c9d68f879cdf532e214d2a18511d7025087f3a3be1b36821c35117cd0144ff
Instruction Fuzzy Hash: 7441B2B0D00619CADB24DFA9C844BDDBBB5FF45304F248169D408AB255DB755985CF90

Function 06FD12B0 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FD1348

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: acf8d0a890434ab4990fe6a4577f690e6579d57afe9de5ccfa00a7464e076041
Instruction ID: 838c168bf2ae05a9d2a77e62594a49b2a75a9afef7acdbc97a9cfb869c8194a1
Opcode Fuzzy Hash: acf8d0a890434ab4990fe6a4577f690e6579d57afe9de5ccfa00a7464e076041
Instruction Fuzzy Hash: 102155B2D003499FDB10CFA9C981BDEBBF5FB48320F148429E958A7240C778A944CBA4

Function 06FD12B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FD1348

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 61cbd77e4ef3ceb596e9cdb7abf022f5ff007e405d04777124abd06ec9c8dbba
Instruction ID: d93afa10041f6f1f467a2a8d83cea9ad710f423e87f497a1afc33993a18a38e1
Opcode Fuzzy Hash: 61cbd77e4ef3ceb596e9cdb7abf022f5ff007e405d04777124abd06ec9c8dbba
Instruction Fuzzy Hash: 592146B2D003599FDB10CFA9C881BDEBBF5FF48320F148429E958A7250C778A954CBA0

Function 0081D648 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0081D6D7

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08c54cec1da525617fedd3788ef67d1ed8ec98d8c9ecf8d50f6a6ebef0d9d230
Instruction ID: 088b2448e1a60e2bf334d19a0d28c1f274aaf6b407b21f7b351efdf80b58fb7c
Opcode Fuzzy Hash: 08c54cec1da525617fedd3788ef67d1ed8ec98d8c9ecf8d50f6a6ebef0d9d230
Instruction Fuzzy Hash: 142103B5900258DFDB10CFAAD884ADEBFF8FB48310F14841AE958A7310C374A944CFA5

Function 06FD13A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FD1428

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6f7a05b9703f0bf3cd90536a50557cd13e2d73a3a116771f430ebdf92c128b3a
Instruction ID: a4bb590292f8d9c4d29bb3633a32bbb8ad11bfaf2b3f2c0d9ae0395ef8914558
Opcode Fuzzy Hash: 6f7a05b9703f0bf3cd90536a50557cd13e2d73a3a116771f430ebdf92c128b3a
Instruction Fuzzy Hash: F22136B1C003599FCB10DFAAC841ADEBBF5FF48320F10842AE558A7250C7349540CBA0

Function 06FD1118 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FD119E

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d2b9af482809aaba0f1f7f3edaca0d92d769f586d38708f4c025cba76b3992b6
Instruction ID: 501ee0e8250153850a175352b0805aeb6c66db4e86b9c03e7f5a8b67cdcce80d
Opcode Fuzzy Hash: d2b9af482809aaba0f1f7f3edaca0d92d769f586d38708f4c025cba76b3992b6
Instruction Fuzzy Hash: 69216A71D002098FDB50CFAAC4847EEBBF5EF98324F148529D459A7290C778A544CFA4

Function 06FD13A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FD1428

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6be2519665e9a3ce01d681bd1a768fe3844e6a1cb52690d5ecf81eb9a072a9f6
Instruction ID: 6edd97f8d18b0d81f5bfa813a2bb92316fd5ef69dee7170f446300467c7a9d83
Opcode Fuzzy Hash: 6be2519665e9a3ce01d681bd1a768fe3844e6a1cb52690d5ecf81eb9a072a9f6
Instruction Fuzzy Hash: 3C2128B1D003599FCB10DFAAC840ADEBBF5FF48320F108429E558A7250C774A544CBA4

Function 06FD1120 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FD119E

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1fd84278284cbe912556dd7e28ec73a0686a10e53809e64e8bc91146d62fd1e4
Instruction ID: 49fbcae925f30029c383d2aaa0da0d33cc13bb1dc2106714cdc5cf798be1d4b3
Opcode Fuzzy Hash: 1fd84278284cbe912556dd7e28ec73a0686a10e53809e64e8bc91146d62fd1e4
Instruction Fuzzy Hash: E72149B1D003098FDB10DFAAC4857EEBBF5EF48324F14842AD459A7241C778A944CFA4

Function 0081D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0081D6D7

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: da3b8c397795a62643503fcf53339382a9e821c430149835ae1ebd38b3bad225
Instruction ID: 50b70bec58c81917c4031457b7aa3c79522cacb51fabb1a5650bd83caa12fd91
Opcode Fuzzy Hash: da3b8c397795a62643503fcf53339382a9e821c430149835ae1ebd38b3bad225
Instruction Fuzzy Hash: 0D21C2B5900258DFDB10CFAAD984ADEBFF9FB48320F14841AE958A7350D374A944CFA5

Function 06EE4FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

@, xrefs: 06EE5107

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b49189e3d3f35262e43d34d54c8a3ddee0f017ddced6c2b76a21eb9f10ea4c6b
Instruction ID: abb540eb058424adeeed779886e53f6a3392f503650ca373fe77709acfbf65f1
Opcode Fuzzy Hash: b49189e3d3f35262e43d34d54c8a3ddee0f017ddced6c2b76a21eb9f10ea4c6b
Instruction Fuzzy Hash: D0E19374E00218CFDB50CFA9D990A9DBBF1FB49314F1491AAE819E7345E731AA86CF50

Function 06FD11F0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FD1266

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8efa49b0f08c284168c70cc0c7b538ca61fe7be113a614dbd216bd32afe4d362
Instruction ID: 460118299c8e76c2ed124a30417035fa852c6b16b142fdc8524e86a7ed9a52b2
Opcode Fuzzy Hash: 8efa49b0f08c284168c70cc0c7b538ca61fe7be113a614dbd216bd32afe4d362
Instruction Fuzzy Hash: 11114772D002499FCB10DFA9C844ADEBBF5EB48324F148919E565A7290C735A544CBA0

Function 06FD0C30 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FD0C9A

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 174480e7187f27b76c76dd42759deb00bd2fe30e9815b7574a9f046b7d7e7ff9
Instruction ID: 14f07203c4ecb2a708a7fc274a0d6d6440d8468d3617e4825318f6782df2a021
Opcode Fuzzy Hash: 174480e7187f27b76c76dd42759deb00bd2fe30e9815b7574a9f046b7d7e7ff9
Instruction Fuzzy Hash: 951149B1D00348CBCB20DFAAD4457DEFFF5AB88324F248419D559A7250CB75A544CBA4

Function 06FD11F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FD1266

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 371a1989c732d8d2375c22441cc4d859b7a3ed566b61256c2ee8ee93886b656c
Instruction ID: 84b7db111f9f6346771716cf9b759205d1510bcf209612de9115eb0b81e30374
Opcode Fuzzy Hash: 371a1989c732d8d2375c22441cc4d859b7a3ed566b61256c2ee8ee93886b656c
Instruction Fuzzy Hash: 461153729002499FCB10DFAAC844BDEBFF5EB88320F248819E559A7250C775A944CFA0

Function 06FD0C38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FD0C9A

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ecb6a87430a70b50a4478a866b5d7055de033cf5bb260c86a46f88e019817e8f
Instruction ID: fea8ff1716a5bb6dd34b2e1c767cb2d1a00f746353a7ae6b5c4dc48c7a59799e
Opcode Fuzzy Hash: ecb6a87430a70b50a4478a866b5d7055de033cf5bb260c86a46f88e019817e8f
Instruction Fuzzy Hash: 5D1136B1D003588FDB20DFAAD4457DEFBF9EB88324F248829D459A7250CB75A944CFA4

Function 0081AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0081AFBE

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19e5beec620b65d82ffce7f230cceb834833cf9f892a86ef50c0a7badc2bcb2e
Instruction ID: 17c75b3fd123b537969c456834bf7c5e6eb088516c28e79ee5abd36c4982a02f
Opcode Fuzzy Hash: 19e5beec620b65d82ffce7f230cceb834833cf9f892a86ef50c0a7badc2bcb2e
Instruction Fuzzy Hash: 6F11E0B6C012498FDB14CF9AD444ADEFBF8FF88324F10842AD459A7610C779A585CFA5

Function 06FD58B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06FD5915

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 363bb824a7d0b3d0600469d49042628a1e4a99e1f3684e9ba5e242d1da7e4db0
Instruction ID: f4c330acb16b553f4bb3280c759ac2d803eddc2837f3863d2a3edb59ab4601d1
Opcode Fuzzy Hash: 363bb824a7d0b3d0600469d49042628a1e4a99e1f3684e9ba5e242d1da7e4db0
Instruction Fuzzy Hash: 181100B5800349DFDB10DF9AD884BDEBBF8EB48320F10841AE558A7200C375A984CFA1

Function 06EE3D9E Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06EE3E1A

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 0fcdf17ee78e86a8c4b6c94b13d494c78f993d8f5b04cdfe6fde9b726529ed29
Instruction ID: b3c17be308cf705eab45b15e4c99365824abd4e0aa0744b031cda6dd809d722c
Opcode Fuzzy Hash: 0fcdf17ee78e86a8c4b6c94b13d494c78f993d8f5b04cdfe6fde9b726529ed29
Instruction Fuzzy Hash: 4691F5B4E042189FCB54DFA9C480AEDBBF2EF49314F20952AE819E7355EB359942CF40

Function 06EE4894 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

Tekq, xrefs: 06EE5C51

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 11df028e1d7d1a7f82343742df1117472307ef03da7c48a4c1722c0cd1047484
Instruction ID: e4876904e714342fecfd6e54a606973d36183f91646ce0521596356f6b35b79a
Opcode Fuzzy Hash: 11df028e1d7d1a7f82343742df1117472307ef03da7c48a4c1722c0cd1047484
Instruction Fuzzy Hash: 7C51CD31B003058FCB01DF7998588AEBBFAEFC4224B148669E42ADB391DB359D068790

Function 06EE4428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8oq, xrefs: 06EE44C9

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: cbbe5d94d91a6172b4cb88c1124440e914024db57be3201cffc4ae687379d46b
Instruction ID: c9a2b93b0a1d25347d260f9244d8491dc6747bc9c39c8297ddc863ea606031b8
Opcode Fuzzy Hash: cbbe5d94d91a6172b4cb88c1124440e914024db57be3201cffc4ae687379d46b
Instruction Fuzzy Hash: BD410674E00219EFDB44DFA8D5549EEBBF2FB89300F109429E815A7394DB35AD46CB50

Function 06EE4417 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

8oq, xrefs: 06EE44C9

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: c4b933ebe43ff6bef82ce661c075cfde5a1affc78e9eea0b9a0931ebc2b8005d
Instruction ID: 6a1d40ee9039971a30950513b2e1c889081b30a160662de66766a8c2307d932f
Opcode Fuzzy Hash: c4b933ebe43ff6bef82ce661c075cfde5a1affc78e9eea0b9a0931ebc2b8005d
Instruction Fuzzy Hash: 8D413A74E00208EFCB44DFA8D5549EEBBF2FB89304F10846AE815AB394DB359D46CB50

Function 06EEAEC8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

Tekq, xrefs: 06EEAF3B

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: baea9c9f753051285e4c0146450da60375848c991ff519f413fddb741b12c35e
Instruction ID: 47adee126366f2341621e20f0ac6052f33083c8313e74037ec3934460f78ee13
Opcode Fuzzy Hash: baea9c9f753051285e4c0146450da60375848c991ff519f413fddb741b12c35e
Instruction Fuzzy Hash: 0231C174E01308DFDB44CFA8D884AEDBBB6FF88300F209029E919AB265D735A945CF50

Function 06EEAE94 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Tekq, xrefs: 06EEAF3B

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 07fb7825087f367d0a165416a42346f0f976bee405070b8f8b23cf150ca648df
Instruction ID: e21a83b32e4141bb2ee1087e6b99c0ae21bb8317f285d73ab8db7f33607de90a
Opcode Fuzzy Hash: 07fb7825087f367d0a165416a42346f0f976bee405070b8f8b23cf150ca648df
Instruction Fuzzy Hash: 9131B1B4E04219CFDB48CFE8C8809EDBBB5FF48310F245129E919AB365D735A945CB50

Function 06EE5608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 06EE5673

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 28dd911b19ce7452c2001d845dcbd3156cfeb393cb2b9080137855a9cb32d538
Instruction ID: 7ec43c14b7ccd140e952203f9ef4f0ab88e65923869b2c7dd76418ff7e9a20de
Opcode Fuzzy Hash: 28dd911b19ce7452c2001d845dcbd3156cfeb393cb2b9080137855a9cb32d538
Instruction Fuzzy Hash: 79113A71B1120A8BCB94EAA999105EEB7B6AB98314F204069C504E7354EB369E01CBE1

Function 06EEAE23 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 06EEAEA4

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: fa5e625fab15f2457b820c74eda81e140ef2618a0d2da53f5af35a737b7a9cff
Instruction ID: 78d191983bfb7a0e15ae1c6d29f71dd913da64573f76d4e412ac421dce6339e0
Opcode Fuzzy Hash: fa5e625fab15f2457b820c74eda81e140ef2618a0d2da53f5af35a737b7a9cff
Instruction Fuzzy Hash: 7A1129B0D006488BDB58DFEAC5456DEFBF6AF88300F14D02AD405AB258EB741986CB90

Function 06EEAEFE Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

Tekq, xrefs: 06EEAF3B

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: bcc78670bd5a0261a4efdd67abc19390aaf2ecb1e480c2a63e024def4c9023b6
Instruction ID: 659f2740241bb5e88b438b2790794e8fb1a2df4438ba123472cc3a8fe436465f
Opcode Fuzzy Hash: bcc78670bd5a0261a4efdd67abc19390aaf2ecb1e480c2a63e024def4c9023b6
Instruction Fuzzy Hash: 33118075E00219DFCB04DFD8D8859EDBBB6FB48310F108129EA19AB355C7356855CF50

Function 06EE7EF9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

;, xrefs: 06EE7F1C

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 129f3fdc4d72649264e32f41513d40ded3827ba9b191e0563c62028d25dafb92
Instruction ID: 2cc7a2d499d6c39d20f837c71fee22bc69b5391a173e77dfd4d12e5857adb920
Opcode Fuzzy Hash: 129f3fdc4d72649264e32f41513d40ded3827ba9b191e0563c62028d25dafb92
Instruction Fuzzy Hash: 82015274D053099FCF91CFE8D5456EEBBB5BB09305F20A595D804A3340D7384A41DB91

Function 06EE7450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

m, xrefs: 06EE7464

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 3fce1891fab37783ef5e721898ac93dc4a500596b0c3600dbdf569a3fd51e67d
Instruction ID: 88c6b13a6e343c0db63f09fa6f4235824c4c5e6329653476cd9c3459b06e42e1
Opcode Fuzzy Hash: 3fce1891fab37783ef5e721898ac93dc4a500596b0c3600dbdf569a3fd51e67d
Instruction Fuzzy Hash: 8AE0C230D0530CABCF94EFF4E4042AD7BB8A704305F402196C40593240E7310A56CAA1

Function 06EE3348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 06EE335C

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: abb518a89d4dac4fe182b6da88ec90da98d96d8db7144729e289c243e60db97f
Instruction ID: 1220cefeb51f517ed1ed976b3f0a081baf593e17fa83a38359ed3f53f92ebd5a
Opcode Fuzzy Hash: abb518a89d4dac4fe182b6da88ec90da98d96d8db7144729e289c243e60db97f
Instruction Fuzzy Hash: E7E0C230D04308FBDB60DFB4D40DAAEBBB8B709205F905695D40593280EB358A91D681

Function 06EE4038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

7, xrefs: 06EE404C

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 67b80efdb806fd93b45210606af1364aff514303f46e4e39a5efc46180576b2a
Instruction ID: 7cff54347a48da04c6911028cab5d520e3e4799488674954446108ac906ea1c6
Opcode Fuzzy Hash: 67b80efdb806fd93b45210606af1364aff514303f46e4e39a5efc46180576b2a
Instruction Fuzzy Hash: CFE08C3090520CEBCB90EAA4A4056AD77F8A704204F4021A5C40693680E6340A45D682

Function 06EE6D37 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fb1c4b458cec1afa82d9cda4085b06c0c99bf192c25d0cef769beb47b68bd6
Instruction ID: d2ca4df895c6fc9542cc3e3dea436b7f814ea2755087ebf5be0966d1273982dd
Opcode Fuzzy Hash: e3fb1c4b458cec1afa82d9cda4085b06c0c99bf192c25d0cef769beb47b68bd6
Instruction Fuzzy Hash: 3181A274E142198FDF50CFA8C880AEEBBB1EF59304F109469E819EB351D735AA46CF50

Function 06EE8560 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e5f5fb7f3375cdfc92881ab39699edfe2190c07e4a1d895d98d00644541ca2
Instruction ID: 36928fcad1f3cddf0b7794a95ef9a310c91360c86cb2f73308456f732d7e3fd3
Opcode Fuzzy Hash: a0e5f5fb7f3375cdfc92881ab39699edfe2190c07e4a1d895d98d00644541ca2
Instruction Fuzzy Hash: 5D415A74E10209DFCB44CFA8D440AAEBBF2EB89314F109469E815E7390DB35AD06CF55

Function 06EE8550 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7cac64d2e42696597da75abbf804c122f12fd8e32745b17e7e41f8e1a644ad
Instruction ID: 0d06573eb0ef0064082a4d2f0dc822be9a5f68b658863bd932e3cf3878ddc4cc
Opcode Fuzzy Hash: 3d7cac64d2e42696597da75abbf804c122f12fd8e32745b17e7e41f8e1a644ad
Instruction Fuzzy Hash: 85416D70E10208DFCB44CFA8C850A9FBBB2EB49314F149569E815E7390DB359D46CF54

Function 06EE2FB0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d87cb7a5a910a5182be6ae56b591aaace0af3c5261566084b36310fb172a98
Instruction ID: 854d3e37a4b20321c9b39accd4c678eb59bae879617f27d6e38689c5eeaac708
Opcode Fuzzy Hash: c8d87cb7a5a910a5182be6ae56b591aaace0af3c5261566084b36310fb172a98
Instruction Fuzzy Hash: 6A411374E1024A9FCB64DFB9E8595AEBBF1BF49215F10942AE801E3290EB34D951CF60

Function 06EE592C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd7fe692f012b7d5f998627a02740aa595ba51a01e3bab978120043dadb06a8
Instruction ID: 86819d02329914e8f7f2540fc6a14d9f7518360aae2774e2a048aed06b3ea8c5
Opcode Fuzzy Hash: ebd7fe692f012b7d5f998627a02740aa595ba51a01e3bab978120043dadb06a8
Instruction Fuzzy Hash: 0E3147B1900348AFCF50DFA9D844ADEBFF9EF48314F10846AE915A7210D735A945CBA4

Function 06EE5AB0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac82cf9be4940a387e7dab412c9527929d25685d3eadf92ff5d9010cb2e29f8a
Instruction ID: 70acc75d0c98fe8712966d05624cd43cf34c560d7357b2d33a1fef0e6f8a2e3b
Opcode Fuzzy Hash: ac82cf9be4940a387e7dab412c9527929d25685d3eadf92ff5d9010cb2e29f8a
Instruction Fuzzy Hash: 12212971E057944FC742EF3C9C505EF7FB6EFC5224B19446AC494DB252EA30890AC3A1

Function 06EE4EC8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaddc5190745b28462b13a020cf70a630db0017abda0564ffa196a3d023c3b5c
Instruction ID: b0fcf6542e12c15ad998a6697ab1b974c08d8381c82601501ce8e1a7c85ad97a
Opcode Fuzzy Hash: eaddc5190745b28462b13a020cf70a630db0017abda0564ffa196a3d023c3b5c
Instruction Fuzzy Hash: 213185B4E15209DFDB50CFA9D5456EEBBF4BB08214F1494AAD814F7380E7389A41CF61

Function 0076D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748114284.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0708df2f0fd385b5b556e7ef2269d8cce2a3d45a08861550809eea46bd1c8b
Instruction ID: 06ae0fe2edb58cbed96e4b2555977f5386d05e23c3cb4fb7b12661982dfbafa5
Opcode Fuzzy Hash: 1a0708df2f0fd385b5b556e7ef2269d8cce2a3d45a08861550809eea46bd1c8b
Instruction Fuzzy Hash: 472148B1A10284DFCB20DF04C9C0F16BF65FB98314F24C169DC0A4B256C73AEC46C6A1

Function 0077D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748175436.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca78977fec8b1d171bed5142847b6d98cf849da9c4dd9ea1dd0f790152f5281a
Instruction ID: 034e3496f57f02fa187171c5a2e2bfbf76e2c032725ca0cda450f8bc71460756
Opcode Fuzzy Hash: ca78977fec8b1d171bed5142847b6d98cf849da9c4dd9ea1dd0f790152f5281a
Instruction Fuzzy Hash: 3E21D071604204EFDF25DF14D980B26BBB5FF88354F24C6A9E94D4B296C33ADC46CA61

Function 0077D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748175436.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1357ad43f79d67833ab9ca7554b24dcb6fb65d4a1bce5707c2b5925b298c43e8
Instruction ID: 42e9a6d3a339cd673889d538baee4d14e7f27b6759e96bb6455ceacf4a789113
Opcode Fuzzy Hash: 1357ad43f79d67833ab9ca7554b24dcb6fb65d4a1bce5707c2b5925b298c43e8
Instruction Fuzzy Hash: B521DE75604204DFCF24DF24DA84B26BBB5EF88354F24C569E80E4B296C33ADC46CA61

Function 06EE5C94 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fc2b0f110b299bc3f5b88ae3855c9b5709f3825c37c0e90b39dcc0d923a0fa
Instruction ID: cb79cc24cd317637ee7faf96c56402449128154b4a3e5efada130d1a95a739e3
Opcode Fuzzy Hash: 39fc2b0f110b299bc3f5b88ae3855c9b5709f3825c37c0e90b39dcc0d923a0fa
Instruction Fuzzy Hash: A931D1B4C01358AFDB60CF99D989BCEBFB5AB48318F24845AE444AB250C7B55885CFA1

Function 06EE6FA0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db991b26e624d76ca6b058e712febf9c323274c029042a30d3247e2c6809b8d9
Instruction ID: 7f1add946f97474f0c0a06b84aa5ae1380cc4fcfe6cc9ab455fdf5e25f746cd2
Opcode Fuzzy Hash: db991b26e624d76ca6b058e712febf9c323274c029042a30d3247e2c6809b8d9
Instruction Fuzzy Hash: 4E11C4B1A09384AFCB46CB708D544AD7FF8DF56200B2444E6E814CB253EA368E06C762

Function 06EE5748 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572d3bec0980e6e73a25c0524f83a9d8e21807cd12b9a9c40594e9b3d6c19905
Instruction ID: d128c9dd886b4599b80a72b6f8bc04897d6821a3ef59f3c576865c550c411523
Opcode Fuzzy Hash: 572d3bec0980e6e73a25c0524f83a9d8e21807cd12b9a9c40594e9b3d6c19905
Instruction Fuzzy Hash: 9931DFB4D01318DFDB60DF99C989B8EBFB4AB08318F24901AE408BB250C7B55885CF95

Function 0076D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748114284.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 582ee6aea6e01dfbfac1018e78334ba0e7ee2361f59295c8f223850b33571930
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 4311DF72904280CFCB12CF00D5C4B16BF72FB94324F24C2A9DC0A0B656C33AE85ACBA1

Function 06EE593C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e9435bcff6da1e32ba6865c4b35ac422a1b0a89342da3cba2fcc6d93c84577
Instruction ID: c630f275ab9e65d77832388b1dc37cc9943e8f95f452160458388ca7b6df55dd
Opcode Fuzzy Hash: f6e9435bcff6da1e32ba6865c4b35ac422a1b0a89342da3cba2fcc6d93c84577
Instruction Fuzzy Hash: BC2100B59003499FDB20CF9AD884ADEBFF4FB48320F10842AE918A7210C375A944CFA5

Function 06EEBF72 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9283a0b0f89bb60def4cc431e4ac76351921662c0d0a25d4b3c3b2a746b21823
Instruction ID: bce6fb81706d1dd39028951442d0b0ae76e3faf0271a3b9bc1a8cedef168b765
Opcode Fuzzy Hash: 9283a0b0f89bb60def4cc431e4ac76351921662c0d0a25d4b3c3b2a746b21823
Instruction Fuzzy Hash: E321C674E05619CFEBA4CF98D950BEDBBB5BF58300F24A296D519A3345D2309E81CF50

Function 0077D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748175436.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 59d06eec7f4fb7bc7ea0e15c9ff232049fc7a8ccf83ecdb7074e6997a0271a6e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7311BB75504280CFCB21CF14D5C4B16BBB2FB88314F28C6AAD80D4B656C33AD81ACBA2

Function 0077D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748175436.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 652d5c270cb083ad90495f6103861c78353cd1d7ffca6845d0010659d62d00c6
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8C117975504280DFDB16CF14D5C4B15BBB1FB84324F28C6AAD8494B696C33AD84ACB61

Function 06EEBD28 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d294fff70779d4911c527ba4fb8fb7a8c5a01be5e341fc1f5b8b86034121eb
Instruction ID: d04f9495cdfdd19f461a4444842a44d5521f9a4a7d9ca0e6ee2e246ec165f887
Opcode Fuzzy Hash: e5d294fff70779d4911c527ba4fb8fb7a8c5a01be5e341fc1f5b8b86034121eb
Instruction Fuzzy Hash: 281116B1D046188BEB58CF9BC9443DEFAF7AFC8300F14D06AD409762A4DB7409468F80

Function 0076D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748114284.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c2c6634e5f8b35b962a58c3ecf65af294963f0a2623d6ceb5c1dda4802a2ea
Instruction ID: 58954ab7e77451c68f845a5a257ff5c0830c713e339cdd6073d9f14af1fd06bd
Opcode Fuzzy Hash: 39c2c6634e5f8b35b962a58c3ecf65af294963f0a2623d6ceb5c1dda4802a2ea
Instruction Fuzzy Hash: 3101A771A093449AE7205E25DD84767BFD8EF51724F18C56AED0A4A286C27D9C40C672

Function 06EE32C1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe33d9bdb42f2e28ff51397473c9aefb8d03f9d664145257312fdf25469b7d6
Instruction ID: 60cc57820fd458fa3210b0a5bd80fcbad7988e23d86bc8f6b6d5ce866b8f7b82
Opcode Fuzzy Hash: 5fe33d9bdb42f2e28ff51397473c9aefb8d03f9d664145257312fdf25469b7d6
Instruction Fuzzy Hash: 8E018F74E09208AFCB41EFB8C8559AEBFF4EB0A314F009596D854E3341E7359A06CB91

Function 06EE6C18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b871a3a4f73e65761c3f24298388e08776a9bf214e104ecad9ada08daa5a6d
Instruction ID: 03b25e0f5a3ee0ab6a1deca56d2dade9bfcbb78db262d49edcabf99f97c49ed7
Opcode Fuzzy Hash: b1b871a3a4f73e65761c3f24298388e08776a9bf214e104ecad9ada08daa5a6d
Instruction Fuzzy Hash: 5B012D74E0524A9FCB50CFB8D4452AEBBF4FB19300F1491AAD404E7342E7345A15CB91

Function 06EEA54C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1d6f614ac6ee4a5cc489c8bf4c0a8755d2d982885a0df6bb2bc192c5f0f065
Instruction ID: 07cfe2cb5533c3be834fa2c35a3bb277f459a2fbbc215955053240c98f90c941
Opcode Fuzzy Hash: 1d1d6f614ac6ee4a5cc489c8bf4c0a8755d2d982885a0df6bb2bc192c5f0f065
Instruction Fuzzy Hash: 28014F74A4A259CFEB50CB68DD90AE9BBF9BB8A300F0061F9D14D97296D6301A45CF50

Function 06EE8430 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d273a10c6d571aca31bce4ffdbabfa6fb5be0d0fe66eba3466592bf605e501f6
Instruction ID: 45900b7de03189d844cf8b4ab4163ab83de2ff818e4937c58de151766e587031
Opcode Fuzzy Hash: d273a10c6d571aca31bce4ffdbabfa6fb5be0d0fe66eba3466592bf605e501f6
Instruction Fuzzy Hash: A0012CB4E052099FC751DFB8D9016AEBBF5FB49300F1084AA9818E7341EB349B46CBA1

Function 06EE43B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2db19a73530ad4497b36bb63cfea97eae1d1572ebe1b64cec651a9695e16834
Instruction ID: 25f29aceb3bc8047a27a478268236a5ae83423ea05ac962853a7d7046c798c84
Opcode Fuzzy Hash: c2db19a73530ad4497b36bb63cfea97eae1d1572ebe1b64cec651a9695e16834
Instruction Fuzzy Hash: F5014B74E09309EFCB41CFA9C9411EEBBF4BB49300F1491AAD854E3241E7348A12CB92

Function 06EECB78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4758109abc8466b33ea5d9d8e5a02d6f775d6b49f4cc6510d3bf510dfe6baa5c
Instruction ID: 7a7adb95780d90d879319f0b278fecff5cb9865b114debdeb19e25a96d6ce0b5
Opcode Fuzzy Hash: 4758109abc8466b33ea5d9d8e5a02d6f775d6b49f4cc6510d3bf510dfe6baa5c
Instruction Fuzzy Hash: B201FB74E08208EFD744DFA9C649AADBBF5FF48700F25E494A8099B365DB309E50DB81

Function 06EE8440 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cd0e09a3a6a9d097907a920c380ba73bf37d00c1f7681d30acbccd2802f746
Instruction ID: 7d05b45ee97c5b9ac2ad8ec95938bd2811a56e199e188b70a7fa9a1f1598a4e0
Opcode Fuzzy Hash: 17cd0e09a3a6a9d097907a920c380ba73bf37d00c1f7681d30acbccd2802f746
Instruction Fuzzy Hash: 1301ECB4E04219DFCB90DFA8C5406AEBBF9FB48300F1094AA9818E7340EB359A02CB51

Function 06EE83C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f4c27a57c8af1a6774479a61857218b12b3f0f923dabacfe73b2c47b1dabb9
Instruction ID: 0cb8f0b80ddf112b01cbd56cd47ef2f4eb052fe2eb4c32ab035700f832d91004
Opcode Fuzzy Hash: a5f4c27a57c8af1a6774479a61857218b12b3f0f923dabacfe73b2c47b1dabb9
Instruction Fuzzy Hash: 620119B4D08348AFDB84DFA884411EEBBB4FB19204F1095A6D858E3241E7304A41CB40

Function 06EEBDF4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cce7645e02de6e5d7d99fdb04bbe7d56e6d24c311d9583b59300a95e62aa53
Instruction ID: 7c083a4fcc7fb5d3d2791260768be6aa33a89c0ff2813be6fe68374253d07794
Opcode Fuzzy Hash: 97cce7645e02de6e5d7d99fdb04bbe7d56e6d24c311d9583b59300a95e62aa53
Instruction Fuzzy Hash: F90104B4D08308CFEB48CFA6C8443EDBBF6BB89314F24E12AD42AA6254D73045468F90

Function 06EE3D21 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4831c5e6b9bf5186ee22d9892df8f8dada46cb0cd4d2c70ae837bda53bcf4e0d
Instruction ID: 384190a5b06cc9cfb42ad08a89e8529c3e866d4c7f2b05772bfeae0ad480ed54
Opcode Fuzzy Hash: 4831c5e6b9bf5186ee22d9892df8f8dada46cb0cd4d2c70ae837bda53bcf4e0d
Instruction Fuzzy Hash: 6B011978D09248AFCB91DFB989425ADBFF8EB0A200F4495AAD815E3651E7344651CF81

Function 06EECB00 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b144be344531c2de7428b89514d5fc82c6dfa5a4a9881f43702b58466e8fa1c1
Instruction ID: 7b76455db39f236e8a322c1971734827f8bf7c2cb35d5d433afcdfacd9f50612
Opcode Fuzzy Hash: b144be344531c2de7428b89514d5fc82c6dfa5a4a9881f43702b58466e8fa1c1
Instruction Fuzzy Hash: 7DF08C70E08208DFD744CF5AD5009FDBBB9AB49700B20B9A494295B259DB309A45DBC0

Function 06EE7F41 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a639be8830a6a6862e815f25aecf3be45076261b648a7ae9b8dec84d1d6dd7
Instruction ID: 94c710a1eba960ac4944eb5911099fd9d565c834db16e77ffdc9cc290d98e2a1
Opcode Fuzzy Hash: 70a639be8830a6a6862e815f25aecf3be45076261b648a7ae9b8dec84d1d6dd7
Instruction Fuzzy Hash: 03F049B0D09349AFCB85DFF889052AEBBF5BB09300F2095AAD854E3351E7748A41CB91

Function 06EE7049 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc88adb42e4430ca26bcc9628c4d7d93c77cb1f1cbd4b38874a32b63ded3811
Instruction ID: f0127543e6b10e82931e8a5abbb802082c80f7d9ac28be1eda846180742c584c
Opcode Fuzzy Hash: 1fc88adb42e4430ca26bcc9628c4d7d93c77cb1f1cbd4b38874a32b63ded3811
Instruction Fuzzy Hash: 4AF0B4726043486FDB89DFA8DC418DA7FBDDF05224B1481ABE004DB221E632A9409764

Function 0076D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748114284.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ffce98d83ded3d0403aecc5913a61a679b3ab2f02249cd035a83e2a9a3b49c
Instruction ID: a10f3925395da5e15941f57baef9d863bc6e1a8ff7515900ec041b12672c36f5
Opcode Fuzzy Hash: 72ffce98d83ded3d0403aecc5913a61a679b3ab2f02249cd035a83e2a9a3b49c
Instruction Fuzzy Hash: F0F062715053449EE7208E16DC84B62FFA8EF61734F18C45AED094F286C2799C44CAB1

Function 06EE84F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f3fc8692c99c0f0b24f0e54e89ecbb268c96bb8ecead5cd5befe58b9b5e889
Instruction ID: 47b95c972c80784ad809458e553b4243a1868943d6c44a673f29c5a0d396b961
Opcode Fuzzy Hash: 55f3fc8692c99c0f0b24f0e54e89ecbb268c96bb8ecead5cd5befe58b9b5e889
Instruction Fuzzy Hash: 26F05E70D09348AFCB95DFB8944569EBFF4BB0A204F1496EAD849E3242EA344A45CB51

Function 06EEA7B1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921f859524aff3471e576b07729a291fff68070b580af37c3a830f64861796d0
Instruction ID: bee73863691c3f126d3ea0b9781b23ee5b644eb9f019ef3396e329cbf69454ae
Opcode Fuzzy Hash: 921f859524aff3471e576b07729a291fff68070b580af37c3a830f64861796d0
Instruction Fuzzy Hash: 73F0E270E0A385CFEB51CB68E8989DCBBB6FB86204F0160FEC04897196D6301A89CB51

Function 06EECE40 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe2155092ae213caa5b548768538994ae50236e62910e756a48099d28ad3bbb
Instruction ID: 158ea52ccf901b63cc73c0dad2ce23e027751b1420ff1ba359274024a644bb0b
Opcode Fuzzy Hash: abe2155092ae213caa5b548768538994ae50236e62910e756a48099d28ad3bbb
Instruction Fuzzy Hash: 2AF0DAB0D0470A9FDB54DFA9C842ABEBBF4EB48600F1045AAD918E7350E77599018BD1

Function 06EEADDB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e25e9f27a24895bd1bbf8958345943ef0f04654467e404b9a05a5562f6c5785
Instruction ID: ffb8c20a0d7a40fe16315c6a9bab627c2acb0e7c1640e97e5b2e24631fca933d
Opcode Fuzzy Hash: 5e25e9f27a24895bd1bbf8958345943ef0f04654467e404b9a05a5562f6c5785
Instruction Fuzzy Hash: 1DE01A70D0A348AFCB91DFB9D84569DBFF4AB06200F2551EAD844D3291F6341F95CB91

Function 06EE5FBD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d30915445ed9322ea6a3a189e9f8a0d78c11d7f92f3a752e92cd8aef558c32a
Instruction ID: fd776ace16414fd4f84088cf8b6d63feb588180c320f6d7906582732af1747ca
Opcode Fuzzy Hash: 5d30915445ed9322ea6a3a189e9f8a0d78c11d7f92f3a752e92cd8aef558c32a
Instruction Fuzzy Hash: 35E08C72C00129AB8B11ABE9A8054EFFF38AF0A620B118112F8516B200E3710A72CBE1

Function 06EEFAF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6215cc66e1e1732329fc7d4e155a495388d11719f4cf8b683ffefc4bf274b6c1
Instruction ID: 39a3b5cf2bda616eefc787a7a470206bd133ba4ca5e74d8d541aca7690e7dbea
Opcode Fuzzy Hash: 6215cc66e1e1732329fc7d4e155a495388d11719f4cf8b683ffefc4bf274b6c1
Instruction Fuzzy Hash: 4AF039B4E0420CFBCB54EFA9D40569CFBB5FB48300F00C0AAA818A3390EA345A61DF41

Function 06EEA3B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc9b87328cff1436fc5fbca180b6f202f204fed0b72ad816758c22178419fd
Instruction ID: 27b6f7615cc7ab3c769240edc570b2074b7a7af2c87d7ba8eb83577469493d93
Opcode Fuzzy Hash: 5bbc9b87328cff1436fc5fbca180b6f202f204fed0b72ad816758c22178419fd
Instruction Fuzzy Hash: D9D05B6004A3C59FC36227B57C1D6A97F64AB07111B8911A2F54C414935B5415E5DB61

Function 06EE4E90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad4786e825a512004908e9481dd62f736cd3785e28c6d0d4ee69c76d730d07d
Instruction ID: 90c6401f337315f9f54032bd08e4d4ce62133ed2c6ee3239cec80f1296aa2e3e
Opcode Fuzzy Hash: fad4786e825a512004908e9481dd62f736cd3785e28c6d0d4ee69c76d730d07d
Instruction Fuzzy Hash: ECE08C30D01308EBCBA0EAA494046AD77F8AB05204F506599D40597290EB300A44D681

Function 06EECCE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ee1c4548ec09d20a304f988c81db1a029d3bf260df322b89a66bf5ebc1233d
Instruction ID: 29f795c719c999fed472d860ec40a6a0641e367283f5f622a3577e1739e24741
Opcode Fuzzy Hash: 08ee1c4548ec09d20a304f988c81db1a029d3bf260df322b89a66bf5ebc1233d
Instruction Fuzzy Hash: E6E092B4D4020ADFD790EFA9C905A9EBFF0AB08600F2185A9D029E7211E7B596048F91

Function 06EEDE28 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459ea65e619d965ffc903234101e9a180a5ccdf64fecf9b67fcea58a7cd3c093
Instruction ID: f287d3147a84e568a6e3c68a89296949535a46063878a978907a441155b1a393
Opcode Fuzzy Hash: 459ea65e619d965ffc903234101e9a180a5ccdf64fecf9b67fcea58a7cd3c093
Instruction Fuzzy Hash: 62E04670D00208EBCB14DFA9E40959CBBB4FB44300F1081E9D80453380E7355A91CF80

Function 06EEADE8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2c2b9a82d8bde6a477e5bccae7a5d0ba7667f9876f225aa7f6b074da0ba875
Instruction ID: 3d6de276c44a39899b6a403804c3cddd4af78d400c0d0f6ec0307e706afc3585
Opcode Fuzzy Hash: 5a2c2b9a82d8bde6a477e5bccae7a5d0ba7667f9876f225aa7f6b074da0ba875
Instruction Fuzzy Hash: E9E01770D05208EFCB90EFB9E54A69CBBF4AB04301F5091A99908A3390EB745E90CB91

Function 06EE5FC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 92b71686146f6728ad9a152375132006c8bc9ea2bba23b937c34d52b29501629
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 36D09E72D001399B8B10AFE9DC054DFFF79EF05650F518126E915A7100D7755A21DBD1

Function 06EE55D0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b683ad864fbf2d4d5e6ed028739d1b909f95f34951ec01cb9df4a8ba2cf48f15
Instruction ID: 35ebfa3070b79957c3059e494b9cdd9bff57d1b0c11f53275b4acf5c4f1bd59c
Opcode Fuzzy Hash: b683ad864fbf2d4d5e6ed028739d1b909f95f34951ec01cb9df4a8ba2cf48f15
Instruction Fuzzy Hash: 95D012760483C05ED7C767108D188A17FBCBFAB20071998C7E4C0CA072D5114929DB12

Function 06EEE1B0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96a9e5bac586bdbb97ffa8b9acfb785e48eefacccfa069c9ac0f8a920538343
Instruction ID: 64ed38731b8766938ac9fc455e145f70d3e57ad5d2dc07d1e50d6d980a1fc1f6
Opcode Fuzzy Hash: c96a9e5bac586bdbb97ffa8b9acfb785e48eefacccfa069c9ac0f8a920538343
Instruction Fuzzy Hash: B5D0227080630CEBC3A8EBE6D401B99737CEB02604F9050ECD81413290EF734E80CB80

Function 06EEAE18 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40c3f92561787d2ccd405cc4ce365aa39b8a57530e7956a512ddf985b6b38bc
Instruction ID: 5d1bf4f9f2ad697a43a9210ba35eb819440e878019c39d40fb66e0e7f1cac8ba
Opcode Fuzzy Hash: f40c3f92561787d2ccd405cc4ce365aa39b8a57530e7956a512ddf985b6b38bc
Instruction Fuzzy Hash: 51D012719097445FC7818F5498410B87FB0EB1B210B0552D7DD49C3372D53106928792

Function 06EECF78 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35988c87b80f5bdb82717d2450ccb9fba656f960003d491dd7aafcadbb3e74ca
Instruction ID: daa6ac949aaf5beb39221054900300c66692b41e6322f95e47e497e727625075
Opcode Fuzzy Hash: 35988c87b80f5bdb82717d2450ccb9fba656f960003d491dd7aafcadbb3e74ca
Instruction Fuzzy Hash: 5AD012371102095E8BC0EFA5EC40C5277DCBB24700B008422E504C7031E621F434DB91

Function 06EEA3C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2730e76f2a9b5a9533c28b48cdc5590e514780401170413ec5122ea14a183af
Instruction ID: 66f560ac1278cecf35a988a55f39bc8018922cb924a20896cc36efa072875f3c
Opcode Fuzzy Hash: f2730e76f2a9b5a9533c28b48cdc5590e514780401170413ec5122ea14a183af
Instruction Fuzzy Hash: B6C08C70001308CBC3B02BDBB80E36877A8FB01216F805024B20C408915FE404A0CAA1

Function 06EE7029 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36064483b519b2e978a4af02b2cc24d2fdb8d15982de2946cc766c831adfef9e
Instruction ID: 29cd700fa8a2b14f206e60606e1b6b9a3152f934683d82b1807332a98c2ba29e
Opcode Fuzzy Hash: 36064483b519b2e978a4af02b2cc24d2fdb8d15982de2946cc766c831adfef9e
Instruction Fuzzy Hash: 14B092AA854280B492C556A04C809A9AB543AAA724B284402E29400142E26303629612

Non-executed Functions

Function 06FD0CE8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

X*~, xrefs: 06FD0EB3

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID: X*~
API String ID: 0-3527923643
Opcode ID: 21c4d59ce88ea2e92239acf8c1ce3d2a9375dd2f77ade533563e978bfa6d2fe6
Instruction ID: 1761428ebf9c4f859da1207f24079560cf161837a4e49fca1fe116169f970437
Opcode Fuzzy Hash: 21c4d59ce88ea2e92239acf8c1ce3d2a9375dd2f77ade533563e978bfa6d2fe6
Instruction Fuzzy Hash: B3E1FD74E002598FCB54DFA9C5809AEFBF2FF89304F248169E415AB356DB31A941CFA1

Function 06EEF6C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb16250024426f224fb3acdf58286effe644abea06f72fa222a3a3b67a4537bd
Instruction ID: 267f72fe82c29b5debdd34b83d8835a199153752c006f960e2b2f0e3fa4e021e
Opcode Fuzzy Hash: bb16250024426f224fb3acdf58286effe644abea06f72fa222a3a3b67a4537bd
Instruction Fuzzy Hash: 0CE10C74E002198FCB54DFA9C5909AEFBB2FF49304F249169E419AB356DB31A942CF60

Function 06EEF288 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4286d50acc9d218d1354a67d77fa38390eb3a307df73adb8a04a8174cc748757
Instruction ID: 37af211e85a2ccf8051695d3874fb6f73060e346371f99cf863f1fa2568dffee
Opcode Fuzzy Hash: 4286d50acc9d218d1354a67d77fa38390eb3a307df73adb8a04a8174cc748757
Instruction Fuzzy Hash: B0E1FD74E002198FCB54DFA9C5809AEFBB2BF89304F24D169E415A7356DB30AD42CFA1

Function 06EEEE50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7f67bec7c95874885cb078ee87dd26faa25a14f4c022384e363b20f37729ec
Instruction ID: 0814dedd1068b9cf980f70110f489a72cf848e2154c26d8929d7c1d9c924666e
Opcode Fuzzy Hash: 3d7f67bec7c95874885cb078ee87dd26faa25a14f4c022384e363b20f37729ec
Instruction Fuzzy Hash: 05E11C74E002198FDB54DFA9D5809AEFBB2FF89304F249169E415A7356DB30A942CF60

Function 06EEEA18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6891e3c2881ec76c71dfb9f9b10b8a07d3e66c4652c64a4d1af17d96821550a0
Instruction ID: 7b306bb0fc63870692e0e0843ea9043c02aabedab090d81102c2673e764cee48
Opcode Fuzzy Hash: 6891e3c2881ec76c71dfb9f9b10b8a07d3e66c4652c64a4d1af17d96821550a0
Instruction Fuzzy Hash: B6E10C74E002598FCB54DFA9C5809AEFBB2FF89304F249159E415AB359DB31AD42CFA0

Function 06EE6669 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c88a6becf15a5cb6e411b3fb325109a6b7128167d9899a4a4e28b9308b3f1eb
Instruction ID: 4ed2ec1af837808c4f455c05b20c95ea3669550327a5b17badf00a7a38dd3c61
Opcode Fuzzy Hash: 2c88a6becf15a5cb6e411b3fb325109a6b7128167d9899a4a4e28b9308b3f1eb
Instruction Fuzzy Hash: 68E1F731D1075ADACB10EFA4DA50A99F7B1FF95300F50C79AD4093B264EB70AAC9CB80

Function 0081D57C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748382120.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b4849b6c8bad8bedc4a67b77b42ea47aa7e4b0a4f386ce8d24c3d44f9896d7
Instruction ID: 805e488d5862bab1e0a4adb94c3b9f3746a8f988693a8a74c71a6c61a491737c
Opcode Fuzzy Hash: d3b4849b6c8bad8bedc4a67b77b42ea47aa7e4b0a4f386ce8d24c3d44f9896d7
Instruction Fuzzy Hash: ADA14A36A00209DFCF06DFA8C8405DEB7B6FF85310B15857AE905EB266DB71E996CB40

Function 06EE6678 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754062096.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22776afe340f5bcb19777422e5be7d7089a3f0b2367d5a6ab8222f34e4b5cd91
Instruction ID: 462ee9b86ff223e2935806c0c8a626bc1cef803f17d798ed0713c8d1f7383183
Opcode Fuzzy Hash: 22776afe340f5bcb19777422e5be7d7089a3f0b2367d5a6ab8222f34e4b5cd91
Instruction Fuzzy Hash: 3CD1E731D1075ADACB10EFA4DA50A99B7B1FF95300F50C79AD5093B264EB70AAC9CB80

Function 06FD0CD8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754133921.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fd0000_nowe zam#U00f3wienie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c0268d617a3e4907db089a1f452b7ace3e0e194129f5c12efcfdf1b5209050
Instruction ID: fed5478970cefe628b1f024d521eff550cc5f488cc8fbd77ae08f7cdf04199b0
Opcode Fuzzy Hash: 86c0268d617a3e4907db089a1f452b7ace3e0e194129f5c12efcfdf1b5209050
Instruction Fuzzy Hash: D6511F75E002198FDB54DFA9C5405AEFBF3BF89304F24C16AD418A7256DB30A941CFA1

Analysis Process: MSBuild.exePID: 7852, Parent PID: 7416COMMON

Executed Functions

Function 02B93572 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

$kq, xrefs: 02B93596
Xoq, xrefs: 02B935AF

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID: Xoq$$kq
API String ID: 0-227003152
Opcode ID: 9aac3fc098b0e0c5d4b2b585ce7692596a4565754489e7494b428902bd329e9d
Instruction ID: 50fa4d1793d5ad75f767bb68f7b924e8e695a51567457ff8109b18c84cef4a75
Opcode Fuzzy Hash: 9aac3fc098b0e0c5d4b2b585ce7692596a4565754489e7494b428902bd329e9d
Instruction Fuzzy Hash: B2F14E75E01248CFCF18EFB9D5945AEBBB6BF89310B5484A9E406AB358DF349C02CB51

Function 02B93418 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

Xoq, xrefs: 02B93435
Xoq, xrefs: 02B9345E

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID: Xoq$Xoq
API String ID: 0-251439590
Opcode ID: df227adcb4001c6c55915e49c48580228018f0978f4fd35217a1c8afe6d86f13
Instruction ID: 05a401128c0de3c3a4c5bd9f2eba0939383918f8ced0faaf21abbd32d446643f
Opcode Fuzzy Hash: df227adcb4001c6c55915e49c48580228018f0978f4fd35217a1c8afe6d86f13
Instruction Fuzzy Hash: 8B31E672B003248BDF199A6A599837F6AEAEFC5314F1D44F9E806C3394DF74CC458691

Function 02B90C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02B90E5E

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 5e30c30caf1f2f1a8f65c5f9ce340394b8802cf5b712a05a302ab36e30d65a56
Instruction ID: a5e357bf678532d6a00b0645bde29db0eaa1c346e03899863aaa10586412f0f9
Opcode Fuzzy Hash: 5e30c30caf1f2f1a8f65c5f9ce340394b8802cf5b712a05a302ab36e30d65a56
Instruction Fuzzy Hash: 1122A575A00219CFCB64FF64E999A9DBBB2FF48311F1085A9E409AB358DB706D85CF40

Function 02B90CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02B90E5E

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: a32e6eed9b540fca799af200ebfbe667ca94a07a74f7681128569f2c30d0e7fe
Instruction ID: aa5a188466ec153fe22c4d82c8c8ef28e78252165841090aa07672eb697c3afc
Opcode Fuzzy Hash: a32e6eed9b540fca799af200ebfbe667ca94a07a74f7681128569f2c30d0e7fe
Instruction Fuzzy Hash: 2C22A675A00219CFCB64FF64E999A9DBBB2FF48311F1085A9E409AB358DB706D85CF40

Function 02B92060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbfbbadbfdc6aeebff20412029386156023e0ff4ca99b7615ff505d7ade9fd3
Instruction ID: 7b7449530181216d3d07b27e4f06495e6ca12d3c6a392b68ef955175a052e2c3
Opcode Fuzzy Hash: 3cbfbbadbfdc6aeebff20412029386156023e0ff4ca99b7615ff505d7ade9fd3
Instruction Fuzzy Hash: 9221C135E00215AFCF15EF34C540AAE77A5EB88360F10C469DD0A8B358DB31EA82CBD1

Function 02B9215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08532bb90c46fbc50e5e2ada3a4c216140012555821997843819dbe1e248c07a
Instruction ID: 072348808ec0b6581942981ef9c1787f53ae28cba9d25525f955559382b506fc
Opcode Fuzzy Hash: 08532bb90c46fbc50e5e2ada3a4c216140012555821997843819dbe1e248c07a
Instruction Fuzzy Hash: E2112932E042599FCF02DBF8DC105DEFB71FF89210B2487A6D615B7290EA316945CBA1

Function 02B939ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd02ae4b4d8fbc0e091bf9a7abfd73e5ef23f306ccaacf28c4f5fdfca698b652
Instruction ID: da69f0bbd2937c3e30ca1723639853c5d6b4331e0c74bca8be04b59882e0adb7
Opcode Fuzzy Hash: dd02ae4b4d8fbc0e091bf9a7abfd73e5ef23f306ccaacf28c4f5fdfca698b652
Instruction Fuzzy Hash: F2318379E11308CFCB44EFA8E59489DBBB6FF49311B204469E819AB368D735AD45CF40

Function 02B91F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79877c7292e56fcd35399fccefb2e295fdcb90b831403397387da9f0a3f84bfd
Instruction ID: bfdd15718c8b6e119cd3c26ca4f44e02f0242ce0a2b4a643a2d788d357ce0063
Opcode Fuzzy Hash: 79877c7292e56fcd35399fccefb2e295fdcb90b831403397387da9f0a3f84bfd
Instruction Fuzzy Hash: A1213674D1460E8FCB00EFA8D4496EEBFB0FF09300F1051AAE949B7264EB305A41CBA1

Function 02B91F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6a8804ce4d9fd512a7537c4e91e0bb7b3912427573fab929587cac73935463
Instruction ID: 5bee8e2f615c10ae03756e98f579321d5990163dd32344dd09dd89183cc97ce6
Opcode Fuzzy Hash: de6a8804ce4d9fd512a7537c4e91e0bb7b3912427573fab929587cac73935463
Instruction Fuzzy Hash: DE21C074D1120E8FCB44EFB9E9496EEBFF4BF49300F10516AE809B2254EB341A55CBA1

Function 02B92010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c040aedea7e7f2893d560c5f772b413937f74f8f6ced0a4d7fdc91c8f3f0e77f
Instruction ID: 92af68d69855b1105969944ccbd1fe5702ed60e491c97f800419829d0df2b13c
Opcode Fuzzy Hash: c040aedea7e7f2893d560c5f772b413937f74f8f6ced0a4d7fdc91c8f3f0e77f
Instruction Fuzzy Hash: 1CE08636D2536A52CB01D7B1EC095DEBF78EFD2210F44465BD52037052FB702659C3A0

Function 02B92020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2951840308.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2b90000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868879ed4f0c9884f6684d4c86600dd877274b98e29f39c782e90d2964fe10da
Instruction ID: f4ad74a97bf9ab54e41a911c88b5c0185c5ebc42f9a76bdc277d2c17e74f6bbf
Opcode Fuzzy Hash: 868879ed4f0c9884f6684d4c86600dd877274b98e29f39c782e90d2964fe10da
Instruction Fuzzy Hash: 69D02B31D2022B43CB00E7A1DC004DFF738EEC2220B404223D51037000FB302698C2E0

Analysis Process: fUamrQdFSPAg.exePID: 7936, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	14

Executed Functions

Function 077134B8 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

poq, xrefs: 0771393D
4'kq, xrefs: 07713874
~, xrefs: 077136D6
:, xrefs: 07713737

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: 4'kq$:$poq$~
API String ID: 0-3551392484
Opcode ID: c51870a7cdbb5ffa82f53ecdbd63a3e8b623014dafd9a086c368750c2841d8f5
Instruction ID: a3620768a027d01586a70a50b148957ac5f8ace30b7e1d1d101142a5fdcbe032
Opcode Fuzzy Hash: c51870a7cdbb5ffa82f53ecdbd63a3e8b623014dafd9a086c368750c2841d8f5
Instruction Fuzzy Hash: AD42E1B5A00218DFDB15CFA9C984B99BBB2FF89304F1584E9E509AB361DB319D91CF10

Function 07712106 Relevance: 1.8, Strings: 1, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 0771210B

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: b8223eeea035e5678368f4312f1cee51ea77d80d5e887b3b35037fcc4725498f
Instruction ID: 10f23f3d76e92acf62a0fc98925b703261863edce79053ccf5addadd5fd32cf1
Opcode Fuzzy Hash: b8223eeea035e5678368f4312f1cee51ea77d80d5e887b3b35037fcc4725498f
Instruction Fuzzy Hash: A952A574A012298FCB64DF68D998A9DBBB6FF89310F1041D9D509A73A5CF34AE81CF50

Function 0771BD22 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c3fe768987d69adf733050bef4f7ec7c5677237e9934df3113d22ef5d72c60
Instruction ID: e0af596d374cd70ecd862ee5a99aa347bbf5dcc3928a78c7c7cbafc6e7d20d1d
Opcode Fuzzy Hash: 89c3fe768987d69adf733050bef4f7ec7c5677237e9934df3113d22ef5d72c60
Instruction Fuzzy Hash: A411D4B1E046189BEB18CFABD9443EEBEF7AFC9300F14C06AD40976264DB7409468F90

Function 07712C38 Relevance: 7.9, Strings: 6, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 07712C53
4'kq, xrefs: 07712CAE
4|pq, xrefs: 07712E28
4'kq, xrefs: 07712CDE
4|pq, xrefs: 07712E43
$kq, xrefs: 07712D00

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq$4|pq$4|pq$$kq
API String ID: 0-377471079
Opcode ID: fa6919f3f93c1403135582ed1d7aee6764f30c0e71300c5c6e8dc4a8c0dd47c6
Instruction ID: 6e6f10e4b5e94f9dae0de0c16e2b4dacda92ffb45c08e977f8b35526f1e2dc57
Opcode Fuzzy Hash: fa6919f3f93c1403135582ed1d7aee6764f30c0e71300c5c6e8dc4a8c0dd47c6
Instruction Fuzzy Hash: DBE1CEB1B142168FCB19DF7CD85866E7BE6BF89290B254869E006DB3A1DF30DC41CB91

Function 0169CFF1 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0169D07E
GetCurrentThread.KERNEL32 ref: 0169D0BB
GetCurrentProcess.KERNEL32 ref: 0169D0F8
GetCurrentThreadId.KERNEL32 ref: 0169D151

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 200dd4626da74c05ff933899147843255a76efbd16ae5f5dacb919bdb46fb67a
Instruction ID: 787d27e1708fa16fdabf3023b1e11324e169421100d43fa96ca22d2cf8c9bcfe
Opcode Fuzzy Hash: 200dd4626da74c05ff933899147843255a76efbd16ae5f5dacb919bdb46fb67a
Instruction Fuzzy Hash: 465164B09006498FDB14DFA9D948BEEBBF1EF88304F20C069D419A73A0DB349984CF65

Function 0169D000 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0169D07E
GetCurrentThread.KERNEL32 ref: 0169D0BB
GetCurrentProcess.KERNEL32 ref: 0169D0F8
GetCurrentThreadId.KERNEL32 ref: 0169D151

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5ea3b88aa1a97297507a8ca6f5bc8ff634f65c63f64fb1202fa3798871de47c7
Instruction ID: 821ccd72805507ebf62dc0c0a54ca561cae89016b6319aa953bc558f23aed3dc
Opcode Fuzzy Hash: 5ea3b88aa1a97297507a8ca6f5bc8ff634f65c63f64fb1202fa3798871de47c7
Instruction Fuzzy Hash: F05165B09007098FDB14DFA9D948B9EBBF5EF88314F208069D519A73A0DB349984CF65

Function 0771A369 Relevance: 2.6, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 0771A38C
H, xrefs: 0771A344

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: H$I
API String ID: 0-2132811256
Opcode ID: 67ae6141da8018593028fceabbc7c59d2980663e29b9dfd10a2ac6defe952cd2
Instruction ID: 7c7d4fa44a241cbf34db6e01bcdad98727c6a2c96aa068c084d297afd7dc4039
Opcode Fuzzy Hash: 67ae6141da8018593028fceabbc7c59d2980663e29b9dfd10a2ac6defe952cd2
Instruction Fuzzy Hash: 5F0122F084B200EFCB15AFB8B9483AD3FB0D706211F16899AE84EE3543DA344A18CB51

Function 07901534 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07901776

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 490470f2950f5dc9076de7754c1e53178558bba817e1da914272e6c1d84576f6
Instruction ID: 64565d82d039a6ed7e8aeb4a311ea47264448d19aa193d17d38cc9266b4f8907
Opcode Fuzzy Hash: 490470f2950f5dc9076de7754c1e53178558bba817e1da914272e6c1d84576f6
Instruction Fuzzy Hash: 1FA16AB1D1061EDFDB10CF68CC40BEDBBB6AF48318F1485A9E808A7290DB759985CF91

Function 07901540 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07901776

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6b14ed3b2d2a5ee0f0136849a8662effd9e3e2871f32a3964b10b5972f32df7c
Instruction ID: c06fea8d046d228fa3025234c4c846f04d984dbe3e83226a46eccfad2fd03e41
Opcode Fuzzy Hash: 6b14ed3b2d2a5ee0f0136849a8662effd9e3e2871f32a3964b10b5972f32df7c
Instruction Fuzzy Hash: B79159B1D1061EDFDB10CF68CC40BADBBB6BF48314F1485A9E808A7294DB759985CF91

Function 0169AD68 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0169AFBE

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ba6e8ebf965c06b208a5527437e6c2d58457a9d836e0ed915f68e4a9bd62ce36
Instruction ID: d0ab93d912fc322a6557864065983f19a6732546daed802b9b49262b26acd6b1
Opcode Fuzzy Hash: ba6e8ebf965c06b208a5527437e6c2d58457a9d836e0ed915f68e4a9bd62ce36
Instruction Fuzzy Hash: 96711270A00B058FDB24DF69D84475ABBF6BF88304F108A2ED48AD7B50DB35E949CB95

Function 0169590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016959C9

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7cabb4533588341209d69f7ff56f8c0dd120e201dda1473f73f07b5776dd9c8f
Instruction ID: 06cd5ba2bb5b87107ae60f895ff09f3fb5c2ae3c0306c08d0396e2bc7f1b9112
Opcode Fuzzy Hash: 7cabb4533588341209d69f7ff56f8c0dd120e201dda1473f73f07b5776dd9c8f
Instruction Fuzzy Hash: CE41B3B0C00719CFDB25DFAAC884A9DBBF5BF49304F2480AAD409AB255DB756946CF90

Function 016944B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016959C9

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c08e6e5308e42ef3f14cedbcb59b875cde0d94282d40f283340a0f7bceeb561e
Instruction ID: aa20f3554a7cd914f17d7c86518b521982ac72cbfb6f8de12d828c4c4d5619ae
Opcode Fuzzy Hash: c08e6e5308e42ef3f14cedbcb59b875cde0d94282d40f283340a0f7bceeb561e
Instruction Fuzzy Hash: 9441C3B0C0071DCBDF25DFAAC884B9DBBB5BF49304F24805AD409AB255DB756985CF90

Function 079012B0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07901348

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ba2ab5961a32c4146136d63b9b8afb342534e9e5239b792bbb82bbb3b9757900
Instruction ID: 623ae1084546b5d3b1b3bf92cd74b9db344e3544a39b2f477f8878b6c75414ab
Opcode Fuzzy Hash: ba2ab5961a32c4146136d63b9b8afb342534e9e5239b792bbb82bbb3b9757900
Instruction Fuzzy Hash: D02148B1900319DFCB10DFA9C885BDEBBF5FF48324F10882AE959A7250D774A944CBA4

Function 079012B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07901348

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 55c6e139903af8cfd13a9b067acde9014f2579e281fd1a620d08ba84da4586b5
Instruction ID: f13b06b898acd5fd39374a79eae1705329ff0f95663e758b5bd22db63cf93eb7
Opcode Fuzzy Hash: 55c6e139903af8cfd13a9b067acde9014f2579e281fd1a620d08ba84da4586b5
Instruction Fuzzy Hash: 7F2139B1900359DFCB10DFA9C985BDEBBF5FF48324F108429E959A7250C7789944CBA4

Function 07901118 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0790119E

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3365633f6a2fd23bae364196bf5e63ddb17b8923c49ec10dd975a2926da143d4
Instruction ID: e7548d7b8f21acfd9d1aa31775ebf4dfc48a2bf50a94274ccea1a561dbf777c0
Opcode Fuzzy Hash: 3365633f6a2fd23bae364196bf5e63ddb17b8923c49ec10dd975a2926da143d4
Instruction Fuzzy Hash: 40215CB19103099FDB14DFA9C4857EEBBF4EB48364F10C429D459A7240C7789984CFA4

Function 079013A1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07901428

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a7893b3ec721df95eef99c0595c4b1a293feda5db218b7337da33e89693d5956
Instruction ID: e90c2ae88150bbc1756daaa968806daa027772b7ec13c2719132e9043348e6c5
Opcode Fuzzy Hash: a7893b3ec721df95eef99c0595c4b1a293feda5db218b7337da33e89693d5956
Instruction Fuzzy Hash: 6C2139B19003599FCB10DFA9C840ADEBBF5FF48320F108429E958A7250D7749544CBA4

Function 0169D648 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169D6D7

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21fca96b314b2dbf666c121700e3e0a47857bcd59cd62489f0b5b793df39b8a2
Instruction ID: 13daff1b90fef11d49533ff482cb91e79747f39c94b18e38b451f438324a7834
Opcode Fuzzy Hash: 21fca96b314b2dbf666c121700e3e0a47857bcd59cd62489f0b5b793df39b8a2
Instruction Fuzzy Hash: 7D21E5B5900219DFDB10CFAAD984AEEBBF5EB48314F24841AE918A7350C374A944CFA4

Function 079013A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07901428

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ebc539313ab03809d1db6063a64debdb0104eb2996d714163913b0f21e528218
Instruction ID: a5ea492507f001603c789e53a9b3b3780b5361ba80c50606d2a0b40d090af90a
Opcode Fuzzy Hash: ebc539313ab03809d1db6063a64debdb0104eb2996d714163913b0f21e528218
Instruction Fuzzy Hash: 6C2139B1D003599FCB10DFAAC880ADEFBF5FF48320F508429E958A7250D7349544DBA4

Function 07901120 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0790119E

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce36f1bb20cb758f6c053528318b1077b8acbea24dda02ea8c4e28b144453602
Instruction ID: 9532f415ebdb1afc8be97b0241c86904bf27978e2f51ee153547a1fcb9b54e20
Opcode Fuzzy Hash: ce36f1bb20cb758f6c053528318b1077b8acbea24dda02ea8c4e28b144453602
Instruction Fuzzy Hash: 532138B1D003098FDB14DFAAC4857EEBBF4EF48324F108429D459A7240C7789984CFA4

Function 0169D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169D6D7

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f90798164ed39e7aa39b64566bee27dac8f1a25f040483c1387e7d1c8af82bf
Instruction ID: 120b4efc9c83e0bc141aa2b9e89de69180826478d439f7fe5ed19941adb18ee0
Opcode Fuzzy Hash: 9f90798164ed39e7aa39b64566bee27dac8f1a25f040483c1387e7d1c8af82bf
Instruction Fuzzy Hash: 8621E4B59002189FDB10CF9AD984ADEBFF8EB48310F14841AE918A7310C374A944CFA4

Function 079011F0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07901266

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 721ef3cb80c64952688562d88ff3299a0f9195c8ed498b9d4e36ec76d2c4d82c
Instruction ID: a2fa47d99701bc6d1aa723a910aaf8cc0c19a06904055135d1b85932ac90d99d
Opcode Fuzzy Hash: 721ef3cb80c64952688562d88ff3299a0f9195c8ed498b9d4e36ec76d2c4d82c
Instruction Fuzzy Hash: 2D1159B5800249DFCB10DFA9D845BDFBFF9EB88324F208819E555A7250C735A944CFA0

Function 07714FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

@, xrefs: 07715107

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4c582f9533463e3147551761350f0a074f8a5632198cbcdea29d2ed617bc4bc6
Instruction ID: 8b585db0cb9752c2c6ddd1192723bdef2fd8b36d0e5ce147940372dc642f0164
Opcode Fuzzy Hash: 4c582f9533463e3147551761350f0a074f8a5632198cbcdea29d2ed617bc4bc6
Instruction Fuzzy Hash: 9DE192B4E002198FDB54CFA9D880A9DBBF1FB89354F1495AAD819E7341EB31AD81CF50

Function 079011F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07901266

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 58b60a4ca6bb8ed6bf8f8ffc2e7043695bccef96a9e3fad5156e6714442d52ec
Instruction ID: a39e8aa4713fd873ce44655000256753ac1dcc814b88a1ffd0166c225ad294bf
Opcode Fuzzy Hash: 58b60a4ca6bb8ed6bf8f8ffc2e7043695bccef96a9e3fad5156e6714442d52ec
Instruction Fuzzy Hash: C51126B1900249DFCB10DFAAC844ADEBFF5EB48324F208819E555A7250C775A554CFA0

Function 07900C31 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07900C9A

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e4c072effa4bbc409ce8c3a9a061a4a5536ceab542392830eae02ae5eec7b1df
Instruction ID: e230b68c2c301b35a6c47a834895c690d9881344ffd77211b1b7ad24cd0e4198
Opcode Fuzzy Hash: e4c072effa4bbc409ce8c3a9a061a4a5536ceab542392830eae02ae5eec7b1df
Instruction Fuzzy Hash: 961146B19003588FCB20DFAAC445BDEFBF9AF88324F24881AD559A7250CA35A544CBA4

Function 07900C38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07900C9A

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 086bc3eb692cee14d8e524855e3d10ef1529697f2a091ad7a00c2e8232e08876
Instruction ID: 8b73fa5743b830b10c54c3fdfe219804da6518f0bdb623b0a24f8d3beea29e73
Opcode Fuzzy Hash: 086bc3eb692cee14d8e524855e3d10ef1529697f2a091ad7a00c2e8232e08876
Instruction Fuzzy Hash: 9D1136B1D003598FCB20DFAAC4457DEFBF9EB88324F208829D459A7250CB75A944CFA4

Function 0169AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0169AFBE

Memory Dump Source

Source File: 00000009.00000002.1778466131.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1690000_fUamrQdFSPAg.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: adb65f8a760203dabcda8d8f12fb5f181db3bb2034200548361bb5c5ddeaa5c3
Instruction ID: bf05a590d4c5a8eb302fd71bf42663230d71c6ebf6f7c5007a4d965606c1da68
Opcode Fuzzy Hash: adb65f8a760203dabcda8d8f12fb5f181db3bb2034200548361bb5c5ddeaa5c3
Instruction Fuzzy Hash: BB1113B6C002498FDB10CF9AD844ADEFBF8AB88324F10841AD818A7650C375A545CFA1

Function 07904B90 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07904BED

Memory Dump Source

Source File: 00000009.00000002.1787131029.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7900000_fUamrQdFSPAg.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7cda5c0870be3ba1ed6e6f384702313e2124d57d236392c4220830785797773d
Instruction ID: c275dd48996cc4995e248e9e68b24d55b94d4a1111a05fbeecfe6deb2e5976ef
Opcode Fuzzy Hash: 7cda5c0870be3ba1ed6e6f384702313e2124d57d236392c4220830785797773d
Instruction Fuzzy Hash: FF1115B5800349DFCB10DF9AD485BDEFBF8EB48324F108419D958A7250C375A544CFA1

Function 07713D9E Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

LRkq, xrefs: 07713E1A

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 1e72c208d9e5c44184126b9ae419ac98514256030ea6a2da5a0804daa2d26bc1
Instruction ID: 59d24ff69202b31ef24d4304f17c2f9bcb4d916e3db286bb2620f87c847cae12
Opcode Fuzzy Hash: 1e72c208d9e5c44184126b9ae419ac98514256030ea6a2da5a0804daa2d26bc1
Instruction Fuzzy Hash: 3D91D5B4E042099FCB54CFA9D8846ADBBF6FF89350F10856AD819E7341EB359946CF40

Function 07714894 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

Tekq, xrefs: 07715C51

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 1775f8c1a625b6d03554181d0fd45d7e12a5259b70163b61e10966118b599f70
Instruction ID: 83b712e02936e1f62a74a23e81db7bca87b6a9c8889a35e093a9f3bf61ed227e
Opcode Fuzzy Hash: 1775f8c1a625b6d03554181d0fd45d7e12a5259b70163b61e10966118b599f70
Instruction Fuzzy Hash: 3951BF71B002168FCB15DF7D98488AFBBF7EFC5260725896AE416CB391DB309D0587A0

Function 07714428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8oq, xrefs: 077144C9

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: d96d05c503ef51b3da301f3ca151847d5eeabc6277d65b0ef6c3abd39bd49e32
Instruction ID: d025f8028d70cf09d30bef6763452c5807a8eefc581a35d617cdb7a2d9131055
Opcode Fuzzy Hash: d96d05c503ef51b3da301f3ca151847d5eeabc6277d65b0ef6c3abd39bd49e32
Instruction Fuzzy Hash: A141E8B9E011099FCF44DFA8D9949AEBBF2FB89300F108469E819A7350DB35AD42CF50

Function 07714417 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8oq, xrefs: 077144C9

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: a3de78996a552b24e719982483bc570632db63dc6d701aae74de8463b09a27c2
Instruction ID: 30e31572ec43482c28b39ecf9cf18d0ba9847f133c500daf66ba71c62df5f21d
Opcode Fuzzy Hash: a3de78996a552b24e719982483bc570632db63dc6d701aae74de8463b09a27c2
Instruction Fuzzy Hash: F8413C74E011499FCB04DFA8D9946EEBBF2FB89300F14846AE819AB350DB359D02CF50

Function 0771AEC8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AF3B

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: f5ca4a36698b87c1eaa03741dee3e9d4986fe47e4c81671b453963f0a85e498b
Instruction ID: 0a857e3c5cc3127b00971519d77c15dd23404164971ddf88335bd75103197b07
Opcode Fuzzy Hash: f5ca4a36698b87c1eaa03741dee3e9d4986fe47e4c81671b453963f0a85e498b
Instruction Fuzzy Hash: 9131C9B4E15209CFCB04CFA9D9849EDBBB6FF89300F10812AE909AB355D7359945CF50

Function 0771AE94 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AF3B

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 97f8db4055200570d98a66f399b36339ab6840467e5e0072e48c8a4dd7ae1420
Instruction ID: 9394fc62e08783b35a42ffbac02d0b99b3042243abe0b8a127a110f7b3a7f198
Opcode Fuzzy Hash: 97f8db4055200570d98a66f399b36339ab6840467e5e0072e48c8a4dd7ae1420
Instruction Fuzzy Hash: 7031B2B4E05209CFCB04CFE8D9849EDBBB5FF49310F14912AE909AB351C735A945CB50

Function 07715608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 07715673

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 7a2b892d5beb3f06c29a46bbdb8a1f34c2de46c79640049980c42f16ad8e187d
Instruction ID: fe6b484321da709c192cdaff6a8eab420b3de416ccbb5bf008d732959f7f1458
Opcode Fuzzy Hash: 7a2b892d5beb3f06c29a46bbdb8a1f34c2de46c79640049980c42f16ad8e187d
Instruction Fuzzy Hash: 221148B1B0120A8BCB18EBADD9105EFB6B6ABD8650B204479C504E7358EF359E11CBE1

Function 0771AE23 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AEA4

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 740e3e323837c36b3519d9613fb3952af0c00af94d8c2f2fbc101b772e6ecd08
Instruction ID: 9b6137bd17c28fb41d5a8bfe124beee6653a62423ce123665da8c7f3d67577ea
Opcode Fuzzy Hash: 740e3e323837c36b3519d9613fb3952af0c00af94d8c2f2fbc101b772e6ecd08
Instruction Fuzzy Hash: C811F6B4E116498BDB08CFEAC9456DEFBF6AF89300F14C02AD415AB358EB74194A8B50

Function 0771AE28 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AEA4

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 94a0016edea24b71838fcf63f0b0740ea943615ce05d59a2d0f647b65fa263de
Instruction ID: 7e44f647f278ef67b4a47662d0f45d7c81c9be0ab622ad4810bc2ccff9226805
Opcode Fuzzy Hash: 94a0016edea24b71838fcf63f0b0740ea943615ce05d59a2d0f647b65fa263de
Instruction Fuzzy Hash: 861107B4E106498BDB08CFEAC9456DEFFF6AF89300F14C02AD415AB358DB7419068B50

Function 0771AEFE Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AF3B

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 358a51f4e97f5c6227784a8375b1c2001b7799f3d79651ec56ae9892a39743f2
Instruction ID: c1b4116c7362ee5097b167ce7ffd2e4fe20f2b08356f9884f62001a9fceba22f
Opcode Fuzzy Hash: 358a51f4e97f5c6227784a8375b1c2001b7799f3d79651ec56ae9892a39743f2
Instruction Fuzzy Hash: C41180B5E00209CFCF04DFE8D8849ADBBB6FB89310F10812AEA19AB355C735A855CB50

Function 07717EF9 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

;, xrefs: 07717F1C

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: f06fbfa1cf2ae2d9976a6521a1456ac9b3a8422833b851cde6d266b28469c388
Instruction ID: 6b0839998e2a25e8311f6baae0c7551b2d5d8f5894d7ac01036cb79327be4561
Opcode Fuzzy Hash: f06fbfa1cf2ae2d9976a6521a1456ac9b3a8422833b851cde6d266b28469c388
Instruction Fuzzy Hash: EA0184F5E052099FCB15CFE8C9456AFBFB9EB06390F104896E815D7341D7309A02CB91

Function 0771AE18 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AEA4

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: f497c46957705fc58a4bf9ea238dd3ec13d46ccec4b15b5378d27127ce1b299e
Instruction ID: 6f81aaa682e33bf7c1d30fc44bd03be0f0ca8a195289c70ac7e79d203f598944
Opcode Fuzzy Hash: f497c46957705fc58a4bf9ea238dd3ec13d46ccec4b15b5378d27127ce1b299e
Instruction Fuzzy Hash: D40108B4D192888FCB04CFEAC4512EEBFB6AF9A300F14D02AC405AB259DB34190ACB50

Function 0771ADD8 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0771AEA4

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: bf1893b9657210147fdf44a686fa7156a4c7cbb20ea8ab19cf518573d47b6311
Instruction ID: 1415971959c55d1cdbdc2c470445dbe59d66cc1f1cd61d19bd2c70e623883738
Opcode Fuzzy Hash: bf1893b9657210147fdf44a686fa7156a4c7cbb20ea8ab19cf518573d47b6311
Instruction Fuzzy Hash: E101D6B4D18648CBCB08CFEAC5852ADBBB6AF89340F10D02AC415AB218DB34280A8B50

Function 07717450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

m, xrefs: 07717464

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 4099932407d58646fc639613b00662a11d46e6145da38cf9452f464c4cbf23e5
Instruction ID: 6ffd706bf2a66e55362811109d9580d6a7fd97c117cbbd2abc12a54fa6ff53e9
Opcode Fuzzy Hash: 4099932407d58646fc639613b00662a11d46e6145da38cf9452f464c4cbf23e5
Instruction Fuzzy Hash: 13E08CB0D05209ABDB08EAA894042ADBEF89701240F0045A4D84553240DA301A448BA1

Function 07713348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 0771335C

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: d3240243a6db9858efb8fe81a3acc4df35b6561c9f968aaf5b4e7be5a0b8200c
Instruction ID: 09bf900aba34b9cb582fc35a3a97bc4c0d650cddcfa72964bfd91f15ba0b7118
Opcode Fuzzy Hash: d3240243a6db9858efb8fe81a3acc4df35b6561c9f968aaf5b4e7be5a0b8200c
Instruction Fuzzy Hash: DBE0C2B4905208EBDB10DFB8D5092ADBFF8AB06342F104995E40993240EF315A40D745

Function 07714038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

7, xrefs: 0771404C

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: b033b34e8a690bfe40863fea6c6f7293d59b02a472a44701b8771c2cc757be5a
Instruction ID: 5fa412371c9341f11ef494e6a9a4022d201cd7a3e6aba7c5e9b8d3ea861451d4
Opcode Fuzzy Hash: b033b34e8a690bfe40863fea6c6f7293d59b02a472a44701b8771c2cc757be5a
Instruction Fuzzy Hash: 16E0C2F0A0614CEBCB10EFF9E4056ADBBF8A701340F4005E4D80A53240DB301A44C741

Function 07716D37 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adef5f5abbf91965f997579d33f2058587d97efbcfc9482a6a6ac7aa0c21569
Instruction ID: 90adda8f9e707f5ba5cf3053e2c29c23b5ba2e61258db741bae0aba0d27ea4c8
Opcode Fuzzy Hash: 5adef5f5abbf91965f997579d33f2058587d97efbcfc9482a6a6ac7aa0c21569
Instruction Fuzzy Hash: 568185B5E142198FDF11CFA8C880AADBBB6FF49344F1084A9E819EB311DB359956CF40

Function 07716FA0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40acef3fa83eb037e5f87c78aafe7aa9f8be58e84dfdc5754aa95f37a1d40f5b
Instruction ID: a59199f431ef57a57ac1db032e14b5770e249d950991d9be4113b001a253bc79
Opcode Fuzzy Hash: 40acef3fa83eb037e5f87c78aafe7aa9f8be58e84dfdc5754aa95f37a1d40f5b
Instruction Fuzzy Hash: BD5138B1A093889FCB05CFB8C8449EEBFF9EF46250F14849AE845DB252D7359D05CBA1

Function 07718560 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698166af68b3946658071396a684e6942a802ace36d04763da3222f607cc2b82
Instruction ID: bdd24b11dfbd8e777dd9328ae78d1ba24e7d593c15db3532726c38932f5cdad6
Opcode Fuzzy Hash: 698166af68b3946658071396a684e6942a802ace36d04763da3222f607cc2b82
Instruction Fuzzy Hash: B84108B4E001099FCB44CFA9D490A9EB7F2EB89364F10896AE815E7351EB35AD018B51

Function 07718550 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225f009218820d4f4106f185f65f93f61749291e315424cf5bdfe23ca316e3f0
Instruction ID: b92f93f2896145ac70ef66d62635eb2547536b4bb292f74c379ae48f62e9ecd1
Opcode Fuzzy Hash: 225f009218820d4f4106f185f65f93f61749291e315424cf5bdfe23ca316e3f0
Instruction Fuzzy Hash: 9A413BB4E012099FCB44CFA8D89069EBBF2EB89264F14896AE815E7351DB359D02CB51

Function 07712FB0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc4b53ec0f6af3a0b5a9b054b14d9b5185d01148d86019519cb58e9cadb634b
Instruction ID: a50fa0b6357840ac0382b20a651c2b0e49b7c8bd83029c67e082f00563b1cd59
Opcode Fuzzy Hash: 2bc4b53ec0f6af3a0b5a9b054b14d9b5185d01148d86019519cb58e9cadb634b
Instruction Fuzzy Hash: FF41C2B4E1121A9FDB14DFB9D9596AEBBF2AF49251F118825E806E3250EB30E901CB50

Function 07714EC9 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391aab1fcd755dcbe87fe944aadb5adfb14d50ee3290f364dc1c59cf8dd8371c
Instruction ID: b8a4b15219393f745e8f180722c2370e889913c65369dba3decdd3e499ca813f
Opcode Fuzzy Hash: 391aab1fcd755dcbe87fe944aadb5adfb14d50ee3290f364dc1c59cf8dd8371c
Instruction Fuzzy Hash: 7431D6B4E0124A9FCB10CFA9D9456AEBBF4EB09354F1489AAE814E7340E7349A45CF91

Function 07715AB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2821f179a657c554d065ecf4ea5c6ee8809b3d7b2ef4fce00bde002ab128a7
Instruction ID: 9471df6ee3d9fe0c9cbeeb0ce96f70c98b53b71fd54b1c020faf88653ea90f1a
Opcode Fuzzy Hash: 0c2821f179a657c554d065ecf4ea5c6ee8809b3d7b2ef4fce00bde002ab128a7
Instruction Fuzzy Hash: E62126B1A003554BCB15EF7D88845AFBFB6EFC52A0B15042AD454CB251EF30890687A1

Function 0163D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778155756.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_163d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61272a47945e978694d6164128af4e761b93aa7210a4a24bcf45031ea6ac9007
Instruction ID: 9e1e9b49ec9e0f1d1755e808a3792cd77d25d49c4bb813dd2fcfd7d313b7f9b7
Opcode Fuzzy Hash: 61272a47945e978694d6164128af4e761b93aa7210a4a24bcf45031ea6ac9007
Instruction Fuzzy Hash: 9621D371504240DFDB05DF58D9C0B2ABF65FBC8328F64C569E9094B296C336D456CAA1

Function 0163D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778155756.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_163d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9932fa9e1f5956b75635479d746e32aca7a2929ececbff5ad317d02109ee36f
Instruction ID: 87ef1f6d9fba8a4f0154b593626241042895c17c443a93466a5be3f8f418f3a7
Opcode Fuzzy Hash: d9932fa9e1f5956b75635479d746e32aca7a2929ececbff5ad317d02109ee36f
Instruction Fuzzy Hash: 0321F171504204DFDB05DF58D9C0B6ABFA5FBD8324F60C169E90A4B257C336E456CAA1

Function 07714ED8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa8418d8e1d0c5decfca31b323834b655f04023e79be2bc0d7b3172d9c81feb
Instruction ID: 48c2e81904a5cc39c29ab84e454ea901e9cc56e7c2b5f1c647da22311646f141
Opcode Fuzzy Hash: 1fa8418d8e1d0c5decfca31b323834b655f04023e79be2bc0d7b3172d9c81feb
Instruction Fuzzy Hash: EA315EB4E1125ADFCB40DFA9D5856EEBBF4AB08350F14946AE814F3340E734AA40CF60

Function 0164D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778223001.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_164d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3caebe527d91cf384e235c9901bc141e7c68e5ed6797e6a6b668834f5b53e3
Instruction ID: aafa0785e29c7dff2dfae92030ed192e0d5ed118c01200bf559645018c19f5af
Opcode Fuzzy Hash: 7f3caebe527d91cf384e235c9901bc141e7c68e5ed6797e6a6b668834f5b53e3
Instruction Fuzzy Hash: 0F212671A04200EFDB05DF98DDC4B27BBA5FB94324F20C66DEA094B356C336D446CA61

Function 0164D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778223001.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_164d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b96f1bf256db7f3ebde1fa1c7ccd46562e19e521eb0560dd735f1e9865feaa7
Instruction ID: 98e22e39a5fa1743a736ab6a364f5fa2006cd71158779da4a0ec6ac00df9eba4
Opcode Fuzzy Hash: 1b96f1bf256db7f3ebde1fa1c7ccd46562e19e521eb0560dd735f1e9865feaa7
Instruction Fuzzy Hash: 18213471A04200DFCB15DF98D9C4B26BFA5FB94B14F20C56DD80A4B396C33AD447CA61

Function 07715C94 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6932a6ab54e623e4cc20f345db6fd8f159d2df343d88df4c11138b000895854
Instruction ID: d955f5bfe8091da1c65afb23446fb786891238134ce5066a1c2939c7f14bdf52
Opcode Fuzzy Hash: c6932a6ab54e623e4cc20f345db6fd8f159d2df343d88df4c11138b000895854
Instruction Fuzzy Hash: FB3102B0C01218EFDB24CF99C988BCEBFB5EB48314F248459E458BB250C7B55895CBA1

Function 07715748 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8e98d9dc66f8242b60118105824c1bb90739bf2186ee907d14c903c2aecb80
Instruction ID: eed00630c5fd6b0bcf8f92a915bcb7f4f708f4ad604603316e4e485e1f761792
Opcode Fuzzy Hash: 8e8e98d9dc66f8242b60118105824c1bb90739bf2186ee907d14c903c2aecb80
Instruction Fuzzy Hash: FF3112B0C00218DFDB24DF99C588B8EBFF4EB48314F208469E454BB250C3B55844CFA5

Function 0771FB58 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5496e2b72369b2c94c4f770331d94f51ac37f4eb7b10ef12562362c39aa18e4a
Instruction ID: 590819bdb435e5a5b961b729a52b7fb62edf63fed890458a865a3096ccdfdc5b
Opcode Fuzzy Hash: 5496e2b72369b2c94c4f770331d94f51ac37f4eb7b10ef12562362c39aa18e4a
Instruction Fuzzy Hash: 211191B0B012198BCB28DA7D982067B7AA6EB86790F148529E906D7380EE308D4187D0

Function 0771593C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564253243e8fc3d211ccb7f04c19dc6964a59be6d2bef4f41ed355f93efc4a61
Instruction ID: 591a9beaf3cefe1faf7f97b10815e796aa4aae14850d2223656ba0f7f791092d
Opcode Fuzzy Hash: 564253243e8fc3d211ccb7f04c19dc6964a59be6d2bef4f41ed355f93efc4a61
Instruction Fuzzy Hash: D52112B59003499FCB20CF9AD884ADEBFF4FB49360F10842AE919A7210C374A944CFA5

Function 0163D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778155756.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_163d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e9d4812ef422c9a556e73142f587e7b54e9642e1653bfc5b533dfe5eebf226b9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1C11E172504280CFCB02CF54D9C4B16BF71FB84328F24C6A9D8090B256C336D45ACBA1

Function 0163D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778155756.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_163d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: fdd07125a0d898fdf84d193a8feb2ad44b0dde2137da093b597c73cddcf21dbb
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: FF11DC72404280DFDB02CF54D9C4B56BF72FB94324F24C2A9D9090B257C33AE45ACBA2

Function 0771BD28 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23202eb37c503bead67d2ef03aaec17b880e46ae0fe4b64dd1a384cbb70206ff
Instruction ID: ee2f81df525708e1de8dd94cb2a6fb864f96d9a218ee27c10ed3591f6b31d885
Opcode Fuzzy Hash: 23202eb37c503bead67d2ef03aaec17b880e46ae0fe4b64dd1a384cbb70206ff
Instruction Fuzzy Hash: A811D2B1E046188BEB18CFABD9453EEFEF7AFC9300F14C06AD40966264DB7419468F90

Function 0164D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778223001.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_164d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ff34c2e66364a978581a595e633778a17d1281cef81f938bd26a2a831a3ded09
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B911BE75904280CFDB16CF54D9C4B15BF62FB44714F24C6AAD8094B756C33AD40ACB61

Function 0164D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778223001.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_164d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 9a6bcdd401d35c4c11f5eb6091c1192645293c2c0570df9f830ccf0630d4fcb0
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2911BB75904280DFDB02CF54C9C4B16BFA1FB84224F24C6AAD9494B396C33AD40ACB61

Function 07717029 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd30e35d46ac3107d02b4946a96e18c15a289f07c83ada6c4547555907b6dc1f
Instruction ID: 5297876335eeae59a19b84d1cd3f5386ba9e0ed5eccaa90981435a06ad6cb55d
Opcode Fuzzy Hash: bd30e35d46ac3107d02b4946a96e18c15a289f07c83ada6c4547555907b6dc1f
Instruction Fuzzy Hash: 1A01F27260E2C46FDB0ACBB8DC949AA3FB9EF471A070940DBE045CB263E6359915C761

Function 0771C770 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bef5a6f5729317e6b505a1c55769ccdf27f9082cd310d294b62b2d46185b974
Instruction ID: 9d4dbfd1b6bbc24c49b0bfb778ff2c9694aae6fc79a9595e662bff9dc2b0fe7d
Opcode Fuzzy Hash: 7bef5a6f5729317e6b505a1c55769ccdf27f9082cd310d294b62b2d46185b974
Instruction Fuzzy Hash: 381192B4D15218CFCB49CFAAC5415EDBBF6BB8D341F549069D409A7211EB349A41CF60

Function 0163D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778155756.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_163d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26418914cf55a6c7a875316946ff17d759f4a8122a5bf3eedb9f8162239390c0
Instruction ID: 8d5d810e08db6c1572bbe67c093f4ce2daf6a83f92fe90c5c48cb11fbca15541
Opcode Fuzzy Hash: 26418914cf55a6c7a875316946ff17d759f4a8122a5bf3eedb9f8162239390c0
Instruction Fuzzy Hash: DF01A7714093809AE7124A69CD84B77BFB8EF81364F58C52AED094A386C379D841C671

Function 0771A54C Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc44e3ad18e74926b2029a824d6e54a71a2d8e2c969de108c736e7aa509fefe
Instruction ID: 1256af6c1e238fa1d70644da72c965c186a18e886c85d71f43b4f16f559debbf
Opcode Fuzzy Hash: efc44e3ad18e74926b2029a824d6e54a71a2d8e2c969de108c736e7aa509fefe
Instruction Fuzzy Hash: F9014FB0A5B25ACFEB10DB68DD90AE9BBB9AB8A241F01D1E5C00D93212D6301A45CF10

Function 0771CB78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b95f17f9602524b10c70c7cc39cc2da8b365cbf9a605c5aa8c3ce47277d991f
Instruction ID: ee228d3f37f85e68270dca98a55d02827160abe8fb555917cc69e49bfd6a5a84
Opcode Fuzzy Hash: 8b95f17f9602524b10c70c7cc39cc2da8b365cbf9a605c5aa8c3ce47277d991f
Instruction Fuzzy Hash: F301FBB4A58108EFC715DFE9D644AADBFF5EB4A300F25D094A4099B355DA30EE00DB51

Function 07718440 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b511f341b0078df52b9a5fe2aff14dad43be50ac530eee981b23cdb7869378e1
Instruction ID: 0f83120356080fcb87deb60ab3ff32ddc720078f5d7bed18c7ca0a53ae264b0c
Opcode Fuzzy Hash: b511f341b0078df52b9a5fe2aff14dad43be50ac530eee981b23cdb7869378e1
Instruction Fuzzy Hash: 1701E8B4E052099FCB44DFACD940AAEBBF5FB89350F1084B99818E7340EB319A01CB51

Function 07716C18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64832522a035c6b75efc163a4729bf01252bdcacea2ef6412272aa1241feb8e
Instruction ID: 43850c24d71cc77540eb78f779b15db62232c2874d926f708f8b69fbb450ef7e
Opcode Fuzzy Hash: a64832522a035c6b75efc163a4729bf01252bdcacea2ef6412272aa1241feb8e
Instruction Fuzzy Hash: B0012CB4D0531AAFC751CFB9D9416AEBFF5EB45300F1484AAE804E3342EB31AA04CB91

Function 07717F41 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9de7210690f8a3385f4f788683bc012f61063fbbeebab909d357cefe90dda88
Instruction ID: a70503235f85006a30e26b60eeaaeba6f83ea218054fc411784759017a7605bb
Opcode Fuzzy Hash: d9de7210690f8a3385f4f788683bc012f61063fbbeebab909d357cefe90dda88
Instruction Fuzzy Hash: 7CF04FB4D052099FCB05CFE98A056AFBFF5EB45350F1185AAA819E3341DB304A01CBA1

Function 0771BDF4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb2187a6085a2606e2e98b30d01a1a942b28b435cc5393025cecffd9d91c4d8
Instruction ID: fb164aead530e5bef46ad6ee8c5db25fc260bc348235554db0bd193c7af93cfe
Opcode Fuzzy Hash: 6bb2187a6085a2606e2e98b30d01a1a942b28b435cc5393025cecffd9d91c4d8
Instruction Fuzzy Hash: 140116F4D18218CBDB08CFAAC8403EDBFF6BF8A350F14D12AD81AA6214D73055058FA0

Function 0771CB00 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9220b91d111949e6704110354bc2f222baa83684bb758b6e37b700d7001d913f
Instruction ID: bb0c003d2b7a790eddc5ea167f3b78186a7cf9a45759e811b85c0069d73f40a5
Opcode Fuzzy Hash: 9220b91d111949e6704110354bc2f222baa83684bb758b6e37b700d7001d913f
Instruction Fuzzy Hash: D4F0A4B099C108DBC715CFDEE5009B9FBB8AB4B380F00E1A490099B211DB309E04DBA0

Function 07718430 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb54bedf6e908cef7c34b2b481f24b40b6144f6633a1695926b677fcd3e2771
Instruction ID: a524b9b965268bffb2623025f8465cb27f6c98829205547844e4d8ee030f8417
Opcode Fuzzy Hash: 8eb54bedf6e908cef7c34b2b481f24b40b6144f6633a1695926b677fcd3e2771
Instruction Fuzzy Hash: 130121B4E052099FCB44DFA8D94065EBBF1EF89310F1084AE9818E7341EB359E05CB52

Function 07716C28 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41246b34a4d0dc2576219352a2a8af1fb13e56118fedb720c934938f837bcc88
Instruction ID: 90925fc5292e4e9318d644b6e77168857730b01ca23f68400d6c2ef521bfc949
Opcode Fuzzy Hash: 41246b34a4d0dc2576219352a2a8af1fb13e56118fedb720c934938f837bcc88
Instruction Fuzzy Hash: 2301B6F8E1520A9FCB54DFA9D5466AEBBF5EB48300F1085699819E3341EB30AA00CB51

Function 0163D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1778155756.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_163d000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0332e240338717e6660e9f0524122d889848af0012406a62d2ae3af74189b15d
Instruction ID: bfd566a4ca92d9409ef8fac639b08ec64679f6fc0ebaaaaf65084c08fc9b0124
Opcode Fuzzy Hash: 0332e240338717e6660e9f0524122d889848af0012406a62d2ae3af74189b15d
Instruction Fuzzy Hash: 5DF062714053849EE7118A1ADCC4B62FFA8EF91764F18C45AED084B386C3799844CAB1

Function 077183C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7847e3303a369286b5f496bc32df9de49b1ee1d13735499424fbd2794a45c7
Instruction ID: 3a61da75a28b8a35f211d56fb7193407b94bf3bcba19c84b7f97968fbcbae818
Opcode Fuzzy Hash: 1f7847e3303a369286b5f496bc32df9de49b1ee1d13735499424fbd2794a45c7
Instruction Fuzzy Hash: FFF054B4D15215EFDB40DFB9D9052AEBFF1EB09350F1099AAE819E3311DB304644CB51

Function 077132D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f383595280610e6e596235a0ac3c848027789506eff5cc60cbe28781c3a47e6e
Instruction ID: 4ad09c72c10d91fb15e3c337c348f4c20bb0e193453a9818ef719969ffcd888a
Opcode Fuzzy Hash: f383595280610e6e596235a0ac3c848027789506eff5cc60cbe28781c3a47e6e
Instruction Fuzzy Hash: F3F0FFB4E051099FCB40EFA8D5456AEFBF5EB45304F1099A9D814E3340EB759A05CB44

Function 077143B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709ef01139cff193610ac8e93ded3522d60c8cd3f51b7664445ccf8f575cfe54
Instruction ID: b9c9f615f69abe602f78b84184dc910fd294da6270eaedc1c1af75eaa59d9f4d
Opcode Fuzzy Hash: 709ef01139cff193610ac8e93ded3522d60c8cd3f51b7664445ccf8f575cfe54
Instruction Fuzzy Hash: 16F049B4E0524ADFCB45CFB8DA001AEBBF0BB49300F1184AAD818E3310EB308A05CB50

Function 077143C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2edb6b3f87f11db95a0db0a332cdf83e3ea9cf3373c8e0ecafa867f042acd34
Instruction ID: 41a6550213b11d3db2abbb39f4902bc6454fa6ebd8c42a51b142d4fd03ae64ed
Opcode Fuzzy Hash: f2edb6b3f87f11db95a0db0a332cdf83e3ea9cf3373c8e0ecafa867f042acd34
Instruction Fuzzy Hash: F1F097B4D1520ADFCB44DFA9D5455AEBBF4BB49340F1095699819E3300EB309A11CB91

Function 07717F50 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c738a3bb703e55835222bf655d344c2cd4bfdfd5d5bf16d6ac29f6569c7b2a7
Instruction ID: 9e79af543ab31be83743b139e661a66a3f62e71b9a02accaefdd4648881bc72f
Opcode Fuzzy Hash: 6c738a3bb703e55835222bf655d344c2cd4bfdfd5d5bf16d6ac29f6569c7b2a7
Instruction Fuzzy Hash: D3F0A9B4E1520ADFCB44DFA9D5455AEBBF9BB49340F109569A818E3340EB309A41CF91

Function 07713D21 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfc98bcaa006d4f19b8023276fc1e51089f8ed58933c31f358cd306433969b0
Instruction ID: c9f4aa73f0cda2c8118a4237db4d6d27b9070243edc848c2e122925e8f6b7dc1
Opcode Fuzzy Hash: abfc98bcaa006d4f19b8023276fc1e51089f8ed58933c31f358cd306433969b0
Instruction Fuzzy Hash: 70F067B4D05208AFCB51DFB8CA062AEBFF1EF06200F0088EAD459E3721EB305A54CB40

Function 0771592C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2265dddf3fc33d079278e0631853d2984e81da79e203ce12f0b4e880283b176
Instruction ID: 366d89338bd69f3b37f207862a7233e43a75b6b4c838bb543db8dd5fe32f34bb
Opcode Fuzzy Hash: e2265dddf3fc33d079278e0631853d2984e81da79e203ce12f0b4e880283b176
Instruction Fuzzy Hash: 7AF0A072600108BF8F0CDF6DDC849AEBFBAEF45260B00807AE509D7224EA31ED508795

Function 0771A7B1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8d68c0420bdc662d48387ef988df1edfd0af752f2ae41be167f460f777fc4a
Instruction ID: a0b1b618f102476c33182afc4c287db22d51e46b89b7296ea95372baaa4bc897
Opcode Fuzzy Hash: ce8d68c0420bdc662d48387ef988df1edfd0af752f2ae41be167f460f777fc4a
Instruction Fuzzy Hash: 9FF0E9F0E0B285CFDB01CB68D8D49DCBB75EF86245F0290E9C00C97112C5301B44CB11

Function 077183D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620351ab020a7320159ef5b7f0a136165f7cd5d60fbe59c8314c1ffaea3b306d
Instruction ID: 4fe001c3d06895c040393b5e96960a8c0d06ec7a83abe533fdcb7241c4b2abbe
Opcode Fuzzy Hash: 620351ab020a7320159ef5b7f0a136165f7cd5d60fbe59c8314c1ffaea3b306d
Instruction Fuzzy Hash: 9AF0B7B4D14209EFCB40DFADD5455ADBBF5EB09350F1099BAD818E3200EB7056408B41

Function 07713D30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3942ce0e647e290cb8f49f3ac307fd1ceb144ba72a7f92fcf2c4a4800decf5af
Instruction ID: 7555ec6cd0b46d357a377250c962667a3f28b05a33e237d98d299a43323645f8
Opcode Fuzzy Hash: 3942ce0e647e290cb8f49f3ac307fd1ceb144ba72a7f92fcf2c4a4800decf5af
Instruction Fuzzy Hash: 33F0B7B4D14209AFCB50DFB9D5465ADBBF5AB09340F0099AAD858E3310E77056508B40

Function 0771CD00 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454105e308319c8010f195b1be1188e388c782d7bb82bb3ead7a1c85fd504e7e
Instruction ID: f075f3142c3a85443843d8175c5af22d2b6a75f78fd3262261ca7e4d490866b6
Opcode Fuzzy Hash: 454105e308319c8010f195b1be1188e388c782d7bb82bb3ead7a1c85fd504e7e
Instruction Fuzzy Hash: ECF0DAB0D4431A9FDB54DFADC842AAEBFF4AB48244F1189AAD918E7200D77195108BA1

Function 07718508 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbac5aff53028eca3ab806364f37be2f357a4ea828cd29de1069f9366fa5536
Instruction ID: e16837999edbf30ef5ab655d7015f702c15bb18b868b677decce40f0cf432eda
Opcode Fuzzy Hash: 2dbac5aff53028eca3ab806364f37be2f357a4ea828cd29de1069f9366fa5536
Instruction Fuzzy Hash: 24F0EDB4E15208EFCB50DFB8D5556ADBBF4EB09310F1099A9D409E3300EB305A40CF41

Function 0771ADDB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db388c0c5113d3dc3efc56d456ef77b836ea73da494c573c73412ed2b62685e
Instruction ID: f2a7f14804c473bed28035ddb088598fd4653ef2b83373a97761731fad5459a5
Opcode Fuzzy Hash: 4db388c0c5113d3dc3efc56d456ef77b836ea73da494c573c73412ed2b62685e
Instruction Fuzzy Hash: 03E0DF70916204DFC740DFB9EA096EE7FB0AB02200F2181EAE808E3250EA301F14CB51

Function 0771FAF8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de126c8b87da26e1b8b5db52aaafecb08b47612558f039aa8813753027c38c6
Instruction ID: 4f1fda39f79f72f252428121dc8ea441b30591f6f81ee1cbc258de32f4d54d89
Opcode Fuzzy Hash: 0de126c8b87da26e1b8b5db52aaafecb08b47612558f039aa8813753027c38c6
Instruction Fuzzy Hash: 0BF03975E0420CEBCB54EFA9E90468CBBB5FB88300F10C0AAE818A3350DA346A50DF41

Function 07715FBD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0f6641a5a5543e87aba317818849cead3a4066a4b86d91bc96b21871fe7469
Instruction ID: 7761f7a3527db24d1509b0fd59dde07d0da1328b2ebe3345fadf2e74adb42a61
Opcode Fuzzy Hash: aa0f6641a5a5543e87aba317818849cead3a4066a4b86d91bc96b21871fe7469
Instruction Fuzzy Hash: 36E08C76C00034A78B21ABA999084EFFE39EF45260B014016B81AA7600E2300A75CBE1

Function 07714E90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9739c31c7da39cfa8299a6a3db5be30a14bc5a164fad4d7dcf314b25380d0794
Instruction ID: dd199ab0f417f30a7474d663a821b38fff50d257d4ac2fd90da38674181de2ad
Opcode Fuzzy Hash: 9739c31c7da39cfa8299a6a3db5be30a14bc5a164fad4d7dcf314b25380d0794
Instruction Fuzzy Hash: 49E0C2B090110DEFCB00EFF8D4046ADBBF4AB01340F508AA8D80553340DB301F48D782

Function 077155D0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5004c8ef65f406ebe159f7df3aa1c95b5ca8cb687c8986b36ac647036f45fe5
Instruction ID: 6b8c09ef7f1c30f286b1c74a4c7952ee5ddd4239946338f064f561a99fc985c7
Opcode Fuzzy Hash: f5004c8ef65f406ebe159f7df3aa1c95b5ca8cb687c8986b36ac647036f45fe5
Instruction Fuzzy Hash: 83D012610952D16FE31223144C1ECA33F6CEA672993058493ECC6CA07284045926D7E7

Function 0771A3B0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b03ede1eba0d828b4079c7232e2a4ce1d0e6b8103e7ed7a160658101046cdb1
Instruction ID: b0b3855d0eebcece14bd85c65f53480f8153185adc9b6c9f7bdbfb773e71b44d
Opcode Fuzzy Hash: 9b03ede1eba0d828b4079c7232e2a4ce1d0e6b8103e7ed7a160658101046cdb1
Instruction Fuzzy Hash: A1D0A7F008A241DFC31927F57E192F83F31D747112B0A1586F48EA2C638D641558DB22

Function 0771CCA8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf3b7e4fad8fcb6046c8b8c1b623fe5dcd7508fb5b2ac356dd01440180ef108
Instruction ID: bde0de796eeea349b15dff36cea973fb3cec9f75d2d63c25314562c926884032
Opcode Fuzzy Hash: daf3b7e4fad8fcb6046c8b8c1b623fe5dcd7508fb5b2ac356dd01440180ef108
Instruction Fuzzy Hash: FAE092B0D802099FD740EFA9C905B5EBBF5BB08600F2185AAD019E7211E7749A058F91

Function 0771ADE8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfcf29b023faa863fd348d2477ff79a7f003f96044ba31543bb82f0e0507ccd7
Instruction ID: 2d5da767f10fbf2ff90c1fc57232a527f6e57c13c95c3975a2a9c395ae7cf1f9
Opcode Fuzzy Hash: bfcf29b023faa863fd348d2477ff79a7f003f96044ba31543bb82f0e0507ccd7
Instruction Fuzzy Hash: 3AE01270D15209DFC740DFB9E64A69CBFF4AB04301F1081A9E80493340EB705E44CB41

Function 07715FC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 24f5d24e6386224b7933cce60afc2f855f20a7eab1ed6550644951402fccc351
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 9BD09E72D00139978B10AFE9DC054DFFF79EF45650F418126E915A7100D3715A21DBD1

Function 0771E1B0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e66477e3fb8f7e7367cb4b3703e8e1ede4ffcb6ac040528de35e425e5680575
Instruction ID: dee1d799e921ab37161046953e2bf59c784831edf75a8beadc965c4bc4655c98
Opcode Fuzzy Hash: 8e66477e3fb8f7e7367cb4b3703e8e1ede4ffcb6ac040528de35e425e5680575
Instruction Fuzzy Hash: A1D022B040630CDBC314EBEEE001A99777CEB02241F5040ECE80453250DFB25E40DB92

Function 0771CDA0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d66de551e70bcadcdb0a524d779e9f488361d1d9cc7cad3e83314bb8c04989
Instruction ID: 7dfc2d50d7be65b72c5cd3ede60ad9570339bc3aaad3e5066a44234a6850734d
Opcode Fuzzy Hash: 81d66de551e70bcadcdb0a524d779e9f488361d1d9cc7cad3e83314bb8c04989
Instruction Fuzzy Hash: 65D0127314410C9E4B82EED8E840D537BECBB146407008822E544C7130E621F574DB61

Function 0771A3C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da05cfd0e449ff9dd42af43e232dfa7ff567ed1e13f5228a3365289bc41c2d4
Instruction ID: 9ceb35e847c4180629266261b03be947581ad463d178ffa8fc68d3fa4ca94e60
Opcode Fuzzy Hash: 1da05cfd0e449ff9dd42af43e232dfa7ff567ed1e13f5228a3365289bc41c2d4
Instruction Fuzzy Hash: E4C08CB0011205C7C30427DAB60D3B43FA8A700212F804010B50C42C104EE06440CB52

Function 077158E4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f4d50d315896eea8e3811a8edc333a630674608c1ef358d380b464e404c60a
Instruction ID: d8a82680685eda8706dc8278a04af225fcb2c509b6c6f5fb204f9a13a1ac3059
Opcode Fuzzy Hash: b4f4d50d315896eea8e3811a8edc333a630674608c1ef358d380b464e404c60a
Instruction Fuzzy Hash: 84B092A61A5280A64A08A7A88A84A3AA611EBB2790B41882162054101485609464936B

Function 077158DF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1787070570.0000000007710000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7710000_fUamrQdFSPAg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800cf6d14617bd54320e5e64632f37ba1c3be333a8f7f6dfcd04d351aa52196c
Instruction ID: bc07edae685d7090911c94f795d91dda4619fce47944b1b48b7da71c5bc75c71
Opcode Fuzzy Hash: 800cf6d14617bd54320e5e64632f37ba1c3be333a8f7f6dfcd04d351aa52196c
Instruction Fuzzy Hash: CCC02BB001C3C1E8C704E3F44D1063ED9029FF2780F02840D635900015C150003C836B

Analysis Process: MSBuild.exePID: 8180, Parent PID: 7936COMMON

Executed Functions

Function 02CE3572 Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

$kq, xrefs: 02CE3596
Xoq, xrefs: 02CE35AF

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xoq$$kq
API String ID: 0-227003152
Opcode ID: c4eb63942226a42f9eedf3a94c5081c5c3b014295f1f03c1a8b6de9289b640aa
Instruction ID: 0d27e8b2ed343aec8cf50465a9bc693b0cd20067d804a5dc105e23dfb7f5e34b
Opcode Fuzzy Hash: c4eb63942226a42f9eedf3a94c5081c5c3b014295f1f03c1a8b6de9289b640aa
Instruction Fuzzy Hash: ECF15E75E012889FCF18DFB9D9556AEBBB7BF88300B14856AD406EB358CF349806CB51

Function 02CE3418 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Xoq, xrefs: 02CE345E
Xoq, xrefs: 02CE3435

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID: Xoq$Xoq
API String ID: 0-251439590
Opcode ID: 95a3be4cf6589add86209edf453944648706881f9b19fcb8d6338ea2a122c561
Instruction ID: e87e8619f8769ad1012ac948b04c3d732f4471cc7d37fd0e0864e3418f000451
Opcode Fuzzy Hash: 95a3be4cf6589add86209edf453944648706881f9b19fcb8d6338ea2a122c561
Instruction Fuzzy Hash: 73314D72B003948BDF19496A899437FAAEABFC4314F08447DE807D3384DF78DD418661

Function 02CE0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02CE0E5E

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 7fb00d8e2a36e0127b23678830d8e6ec70141233ce7115b48a655eb69d59956c
Instruction ID: 9bf8bf68ed8ae59dff46d2d39e9a6c76f2e7ba615c6bbb0c85ed16f2b928da49
Opcode Fuzzy Hash: 7fb00d8e2a36e0127b23678830d8e6ec70141233ce7115b48a655eb69d59956c
Instruction Fuzzy Hash: 4A22C77894021ACFCB95EF64E995A9DFBB2FF48301F1086A6D809A7358DB306D85CF41

Function 02CE0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02CE0E5E

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 1c71365960c93aec4a3761da54522cff7eddd4bceb08cb6d80401c00f52bba6b
Instruction ID: 101504feff7da81361e050590218179667da2f25845eaec2ec9c71b6c73ae54e
Opcode Fuzzy Hash: 1c71365960c93aec4a3761da54522cff7eddd4bceb08cb6d80401c00f52bba6b
Instruction Fuzzy Hash: 9822C77894021ACFCB95EF64E995A9DFBB2FF48301F1086A6D809A7358DB306D85CF40

Function 02CE2060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566cafe2770bd0f7603be419d3e6925ac8fd15c0aeda99ff068f6d9d67b0faf0
Instruction ID: bffdca6007fcb19d0f8f0a2527073967c75fbeb76c0e13952c5b42b25e19c5d9
Opcode Fuzzy Hash: 566cafe2770bd0f7603be419d3e6925ac8fd15c0aeda99ff068f6d9d67b0faf0
Instruction Fuzzy Hash: D621B235A00215AFCF15DB74C950AAE77AAEBC8650B10C419D90A8B298DB31EF41CBD2

Function 02CE215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40feb212dcdb1d915bc6fd3be70f6a9a44aa131c3345437b68352220a0d0a3e
Instruction ID: 0fa2cbef6b85426fc2844b02256b830272c576e2c3c527a9e931638a89cc14c0
Opcode Fuzzy Hash: c40feb212dcdb1d915bc6fd3be70f6a9a44aa131c3345437b68352220a0d0a3e
Instruction Fuzzy Hash: CB113B35E083599FCB029BB89C108DEFF35FF8A2207258797D566B70A1EA311906C792

Function 02CE39ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec085ff4eb331f83268c7ebedcb7afbb85e208d46fcdee38f04ffa5e70bcaa45
Instruction ID: baa2847aae36eb8c6e23943fb0111f4b892a273bff4f69f7faeb2e4d3c60ffc0
Opcode Fuzzy Hash: ec085ff4eb331f83268c7ebedcb7afbb85e208d46fcdee38f04ffa5e70bcaa45
Instruction Fuzzy Hash: 39319378E11248DFCB44EFA8E5948ADBBF6FF49301B204469E809AB328D735AD45CF40

Function 02CE1F08 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb92a65565fd8c896339e46381adef8e7c0899e2eb9ad23c22b1d7b80fce79b1
Instruction ID: 904295ba9904e6d3ea426be81e3b4bc5d637c3f12bf19380e0c16e777de99c42
Opcode Fuzzy Hash: cb92a65565fd8c896339e46381adef8e7c0899e2eb9ad23c22b1d7b80fce79b1
Instruction Fuzzy Hash: 342133B4D0460D8FCB00EFA8D8456EEFFB4BF49304F10516AE845BB264EB305A51CBA2

Function 02CE1F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487d6f02e7ce7db07e14d2a863a5e0c2a524a062225556575cef8e32dd3751c1
Instruction ID: 08cf83086db185b6bf51c029feb213b1fcb321251b0b0b3a2a3d166c8d826f90
Opcode Fuzzy Hash: 487d6f02e7ce7db07e14d2a863a5e0c2a524a062225556575cef8e32dd3751c1
Instruction Fuzzy Hash: 2B21CFB4C1020A8FCB40EFA8D9856EEFFF4BB09300F10556AE805B2210EB345A95CFA1

Function 02CE2010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a6174ced66286e0b8bc4cb33f5b696e29d1ccdc771cd8886b2c78b31c55b3e
Instruction ID: 3c8ffd94507dd3d26e9dbf99baf037ef18c406fbeb00caf4865d4c8755224f30
Opcode Fuzzy Hash: 60a6174ced66286e0b8bc4cb33f5b696e29d1ccdc771cd8886b2c78b31c55b3e
Instruction Fuzzy Hash: 6BE04F3292022A96CF10DBE5E8559DEB778FF96210F505A16D52067010EB70259986A1

Function 02CE2020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2951446495.0000000002CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2ce0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8837e0d65cedef893e7f5acf6ba73937efeb9eb244259a4b52223372f903adee
Instruction ID: f4ad74a97bf9ab54e41a911c88b5c0185c5ebc42f9a76bdc277d2c17e74f6bbf
Opcode Fuzzy Hash: 8837e0d65cedef893e7f5acf6ba73937efeb9eb244259a4b52223372f903adee
Instruction Fuzzy Hash: 69D02B31D2022B43CB00E7A1DC004DFF738EEC2220B404223D51037000FB302698C2E0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nowe zam#U00f3wienie.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F6F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90E7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9117.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99BF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B37.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B77.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fUamrQdFSPAg.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nowe zam#U00f3wienie.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tjvzgyz.32y.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj2gwolf.n1w.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gziroowc.esv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxxar0jn.iro.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psp0fd04.24h.ps1

Windows Analysis Report
nowe zam#U00f3wienie.exe