Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7zFM.exe

Overview

General Information

Sample name:7zFM.exe
Analysis ID:1479907
MD5:2fe0f2549f86229893dd19c6c1f308a9
SHA1:aed113015b019a3f362403a64218b4dffc905b84
SHA256:56876aad7e2cdb3f685ebe5fb66a08a8c5f418da061a823f91d96317d3e89fad
Tags:exe
Infos:

Detection

ZTrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected ZTrat
.NET source code contains potential unpacker
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7zFM.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\7zFM.exe" MD5: 2FE0F2549F86229893DD19C6C1F308A9)
    • netsh.exe (PID: 7508 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7572 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7652 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\user\Desktop\7zFM.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • 7zFM.exe (PID: 7724 cmdline: C:\Users\user\Desktop\7zFM.exe MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • 7zFM.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\7zFM.exe" MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • 7zFM.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\7zFM.exe" MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • 7zFM.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\7zFM.exe" MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • 7zFM.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\7zFM.exe" MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • 7zFM.exe (PID: 7660 cmdline: C:\Users\user\Desktop\7zFM.exe MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • 7zFM.exe (PID: 5448 cmdline: C:\Users\user\Desktop\7zFM.exe MD5: 2FE0F2549F86229893DD19C6C1F308A9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7zFM.exeJoeSecurity_ZTratYara detected ZTratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1686714973.000002127D482000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ZTratYara detected ZTratJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.7zFM.exe.2127d480000.0.unpackJoeSecurity_ZTratYara detected ZTratJoe Security

        Sigma Signatures

        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\7zFM.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7zFM.exe, ProcessId: 7340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7zFM
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\7zFM.exe, ProcessId: 7340, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zFM.lnk

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 7zFM.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\RCV.EXEAvira: detection malicious, Label: HEUR/AGEN.1326753
        Multi AV Scanner detection for domain / URL
        Source: 2.tcp.eu.ngrok.ioVirustotal: Detection: 11%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\RCV.EXEReversingLabs: Detection: 58%
        Source: C:\Users\user\AppData\Roaming\RCV.EXEVirustotal: Detection: 64%Perma Link
        Multi AV Scanner detection for submitted file
        Source: 7zFM.exeVirustotal: Detection: 44%Perma Link
        Yara detected ZTrat
        Source: Yara matchFile source: 7zFM.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.7zFM.exe.2127d480000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1686714973.000002127D482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\RCV.EXEJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: 7zFM.exeJoe Sandbox ML: detected
        Source: 7zFM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 7zFM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Configuration.Install.pdb source: 7zFM.exe, 00000000.00000002.2968202388.000002127FDF6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\dev\GitHub\WebEye\WebCameraControl\DirectShowFacade\x64\Release\DirectShowFacade.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\code\GitHub\NAudio\NAudio\obj\Release\NAudio.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: PluginLoader.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp, RCV.EXE.0.dr
        Source: Binary string: D:\dev\GitHub\WebEye\WebCameraControl\WinForms\WebCameraControl\obj\Release\WebEye.Controls.WinForms.WebCameraControl.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\ZT_Rat\ChatPlugin\obj\Debug\Chat.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\dev\GitHub\WebEye\WebCameraControl\DirectShowFacade\Release\DirectShowFacade.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp

        Networking

        barindex
        Connects to many ports of the same IP (likely port scanning)
        Source: global trafficTCP traffic: 3.126.37.18 ports 13067,0,1,3,6,7
        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 3.126.37.18:13067
        Source: global trafficHTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 3.126.37.18 3.126.37.18
        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: unknownDNS query: name: ip-api.com
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: 2.tcp.eu.ngrok.io
        Source: global trafficDNS traffic detected: DNS query: ip-api.com
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: 7zFM.exe, 00000008.00000002.1738374957.0000012BDB761000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000009.00000002.1841413310.0000016A03A57000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000D.00000002.1922764094.000001C8DB4A7000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000E.00000002.2001877952.0000020DCAF57000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000F.00000002.2082436706.0000022E15C87000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000010.00000002.2299499740.0000012400047000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000012.00000002.2891677421.000002D8BE7F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo.com/fooo
        Source: 7zFM.exe, 00000000.00000002.2953067535.0000021200089000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2953067535.0000021200070000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2953067535.000002120007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
        Source: 7zFM.exeString found in binary or memory: http://ip-api.com/xml/?fields=country
        Source: 7zFM.exeString found in binary or memory: http://ip-api.com/xml/?fields=countryCode
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
        Source: 7zFM.exe, 00000000.00000002.2953067535.0000021200001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000008.00000002.1738374957.0000012BDB761000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000009.00000002.1841413310.0000016A03A11000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000D.00000002.1922764094.000001C8DB461000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000E.00000002.2001877952.0000020DCAF11000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000F.00000002.2082436706.0000022E15C41000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000010.00000002.2299499740.0000012400001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000012.00000002.2891677421.000002D8BE7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: 7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0

        E-Banking Fraud

        barindex
        Yara detected ZTrat
        Source: Yara matchFile source: 7zFM.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.7zFM.exe.2127d480000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1686714973.000002127D482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8B08260_2_00007FFD9B8B0826
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8A721D0_2_00007FFD9B8A721D
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8B15D20_2_00007FFD9B8B15D2
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8AA9AF0_2_00007FFD9B8AA9AF
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8A3C1F0_2_00007FFD9B8A3C1F
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8A39D90_2_00007FFD9B8A39D9
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\RCV.EXE 50BA6F23ECABABDAB3CE09CD1E93EDCE9539EB82E2D51C9A38D84CBD896EEEF2
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll. vs 7zFM.exe
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebEye.Controls.WinForms.WebCameraControl.dllt* vs 7zFM.exe
        Source: 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll. vs 7zFM.exe
        Source: 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebEye.Controls.WinForms.WebCameraControl.dllt* vs 7zFM.exe
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll. vs 7zFM.exe
        Source: 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebEye.Controls.WinForms.WebCameraControl.dllt* vs 7zFM.exe
        Source: 7zFM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: RCV.EXE.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: RCV.EXE.0.dr, NHo8Kxf1tmObMSoUDI.csCryptographic APIs: 'CreateDecryptor'
        Source: RCV.EXE.0.dr, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: RCV.EXE.0.dr, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: RCV.EXE.0.dr, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, NHo8Kxf1tmObMSoUDI.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@17/5@2/3
        Source: C:\Users\user\Desktop\7zFM.exeFile created: C:\Users\user\AppData\Roaming\RCV.EXEJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
        Source: C:\Users\user\Desktop\7zFM.exeMutant created: \Sessions\1\BaseNamedObjects\[Mutex]
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
        Source: 7zFM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: 7zFM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\7zFM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 7zFM.exeVirustotal: Detection: 44%
        Source: 7zFM.exeString found in binary or memory: /add-userTemp
        Source: 7zFM.exeString found in binary or memory: /add-window
        Source: 7zFM.exeString found in binary or memory: /stop-wav
        Source: 7zFM.exeString found in binary or memory: /stop-wav
        Source: 7zFM.exeString found in binary or memory: /play-wavPlay/run!/enter-directory-/add-filemanager-items
        Source: 7zFM.exeString found in binary or memory: /stop-recording
        Source: 7zFM.exeString found in binary or memory: /stop-recording
        Source: 7zFM.exeString found in binary or memory: /add-services
        Source: 7zFM.exeString found in binary or memory: /stop-service
        Source: 7zFM.exeString found in binary or memory: /stop-service
        Source: 7zFM.exeString found in binary or memory: /add-processes
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe "C:\Users\user\Desktop\7zFM.exe"
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE
        Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE
        Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\user\Desktop\7zFM.exe"
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe C:\Users\user\Desktop\7zFM.exe
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe "C:\Users\user\Desktop\7zFM.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe "C:\Users\user\Desktop\7zFM.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe "C:\Users\user\Desktop\7zFM.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe "C:\Users\user\Desktop\7zFM.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe C:\Users\user\Desktop\7zFM.exe
        Source: unknownProcess created: C:\Users\user\Desktop\7zFM.exe C:\Users\user\Desktop\7zFM.exe
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLEJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLEJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\user\Desktop\7zFM.exe"Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mscoree.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: version.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: wldp.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: profapi.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: mswsock.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: secur32.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: sspicli.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: msv1_0.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: ntlmshared.dll
        Source: C:\Users\user\Desktop\7zFM.exeSection loaded: cryptdll.dll
        Source: C:\Users\user\Desktop\7zFM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: 7zFM.lnk.0.drLNK file: ..\..\..\..\..\..\..\Desktop\7zFM.exe
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\7zFM.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: 7zFM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: 7zFM.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: 7zFM.exeStatic file information: File size 2182144 > 1048576
        Source: 7zFM.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x213000
        Source: 7zFM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Configuration.Install.pdb source: 7zFM.exe, 00000000.00000002.2968202388.000002127FDF6000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\dev\GitHub\WebEye\WebCameraControl\DirectShowFacade\x64\Release\DirectShowFacade.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\code\GitHub\NAudio\NAudio\obj\Release\NAudio.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: PluginLoader.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp, RCV.EXE.0.dr
        Source: Binary string: D:\dev\GitHub\WebEye\WebCameraControl\WinForms\WebCameraControl\obj\Release\WebEye.Controls.WinForms.WebCameraControl.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\ZT_Rat\ChatPlugin\obj\Debug\Chat.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\dev\GitHub\WebEye\WebCameraControl\DirectShowFacade\Release\DirectShowFacade.pdb source: 7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: 7zFM.exe, GTs-.cs.Net Code: HDs_003D System.Reflection.Assembly.Load(byte[])
        Source: 7zFM.exe, uBM-.cs.Net Code: _3BM_003D System.Reflection.Assembly.Load(byte[])
        Source: 7zFM.exe, uBM-.cs.Net Code: _3BM_003D
        Source: RCV.EXE.0.dr, NHo8Kxf1tmObMSoUDI.cs.Net Code: NWcBDLfA2xZ1tRDixM System.Reflection.Assembly.Load(byte[])
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, NHo8Kxf1tmObMSoUDI.cs.Net Code: NWcBDLfA2xZ1tRDixM System.Reflection.Assembly.Load(byte[])
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8A6242 push ebx; retn 5F4Ch0_2_00007FFD9B8A62DA
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8A0FE5 pushad ; iretd 0_2_00007FFD9B8A0FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 0_2_00007FFD9B8A1999 push E95E50C5h; ret 0_2_00007FFD9B8A19F9
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 8_2_00007FFD9B890FE5 pushad ; iretd 8_2_00007FFD9B890FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 9_2_00007FFD9B8A0FE5 pushad ; iretd 9_2_00007FFD9B8A0FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 13_2_00007FFD9B880FE5 pushad ; iretd 13_2_00007FFD9B880FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 14_2_00007FFD9B8A0FE5 pushad ; iretd 14_2_00007FFD9B8A0FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 15_2_00007FFD9B8A0FE5 pushad ; iretd 15_2_00007FFD9B8A0FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 16_2_00007FFD9B880FE5 pushad ; iretd 16_2_00007FFD9B880FFD
        Source: C:\Users\user\Desktop\7zFM.exeCode function: 18_2_00007FFD9B880FE5 pushad ; iretd 18_2_00007FFD9B880FFD
        Source: RCV.EXE.0.drStatic PE information: section name: .text entropy: 7.971057347412118
        Source: RCV.EXE.0.dr, NHo8Kxf1tmObMSoUDI.csHigh entropy of concatenated method names: 'Y7u4B2dCuk', 'Da54reTuLO', 'uYj4gKIhw5', 'njP4PBod3Y', 'HdT4QBGQ0b', 'Qyq4AxML9R', 'fhc49cm4i2', 'aOx4MWC618', 'U554ObJImv', 'HPJ40rcGf5'
        Source: RCV.EXE.0.dr, MP5oX3TsUhmnjXxdWS.csHigh entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'kYd4vQX9Yy', 'tLYhl8JOA1PxR', 'AHW2wpGmj', 'mIwlVflxN', 'O8KfDo4M0', 'XIXqirSmE', 'mmVBvHpT6', 'K39rOyNI0', 'MLogIiUCe'
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, NHo8Kxf1tmObMSoUDI.csHigh entropy of concatenated method names: 'Y7u4B2dCuk', 'Da54reTuLO', 'uYj4gKIhw5', 'njP4PBod3Y', 'HdT4QBGQ0b', 'Qyq4AxML9R', 'fhc49cm4i2', 'aOx4MWC618', 'U554ObJImv', 'HPJ40rcGf5'
        Source: 0.2.7zFM.exe.212196948b7.7.raw.unpack, MP5oX3TsUhmnjXxdWS.csHigh entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'kYd4vQX9Yy', 'tLYhl8JOA1PxR', 'AHW2wpGmj', 'mIwlVflxN', 'O8KfDo4M0', 'XIXqirSmE', 'mmVBvHpT6', 'K39rOyNI0', 'MLogIiUCe'
        Source: C:\Users\user\Desktop\7zFM.exeFile created: C:\Users\user\AppData\Roaming\RCV.EXEJump to dropped file

        Boot Survival

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\user\Desktop\7zFM.exe"
        Source: C:\Users\user\Desktop\7zFM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zFM.lnkJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zFM.lnkJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7zFMJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7zFMJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7zFMJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7zFMJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 2127D9C0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 2127F2C0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 12BDB6A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 12BF3760000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 16A03930000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 16A1BA10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 1C8D9950000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 1C8F3460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 20DC9660000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 20DE2F10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 22E142E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 22E2DC40000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 1246C890000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 1246E2F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 2D8BCF70000 memory reserve | memory write watch
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: 2D8D67B0000 memory reserve | memory write watch
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\7zFM.exeWindow / User API: threadDelayed 1475Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeWindow / User API: threadDelayed 879Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\RCV.EXEJump to dropped file
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7364Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7760Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7744Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7968Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7952Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 5848Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 1700Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7504Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7324Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7620Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7544Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 1868Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 7152Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exe TID: 2212Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\7zFM.exe TID: 3192Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\7zFM.exeThread delayed: delay time: 922337203685477
        Source: 7zFM.exe, 0000000D.00000002.1920689077.000001C8D97EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
        Source: 7zFM.exe, 00000000.00000002.2965949296.000002127D8B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyyc>P
        Source: 7zFM.exe, 0000000E.00000002.2001195094.0000020DC9589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
        Source: 7zFM.exe, 00000008.00000002.1737817225.0000012BD9D75000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000F.00000002.2082871932.0000022E2E6C0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 00000012.00000002.2890574414.000002D8BCCB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: 7zFM.exe, 00000009.00000002.1840852570.0000016A02125000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
        Source: netsh.exe, 00000002.00000003.1712530387.000001CB7EAD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==
        Source: netsh.exe, 00000004.00000003.1714582421.00000122DCE25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD
        Source: 7zFM.exe, 00000010.00000002.2300029049.000001246C7B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOO
        Source: C:\Users\user\Desktop\7zFM.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\user\Desktop\7zFM.exe"Jump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\7zFM.exeQueries volume information: C:\Users\user\Desktop\7zFM.exe VolumeInformation
        Source: C:\Users\user\Desktop\7zFM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\7zFM.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE
        Source: 7zFM.exe, 00000000.00000002.2968202388.000002127FDF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: 7zFM.exe, 00000000.00000002.2965668157.0000021219B60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Users\user\Desktop\7zFM.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected ZTrat
        Source: Yara matchFile source: 7zFM.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.7zFM.exe.2127d480000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1686714973.000002127D482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected ZTrat
        Source: Yara matchFile source: 7zFM.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.7zFM.exe.2127d480000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1686714973.000002127D482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        Scheduled Task/Job        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping121
        Security Software Discovery        		Remote Services11
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		21
        Registry Run Keys / Startup Folder        		1
        Scheduled Task/Job        		21
        Disable or Modify Tools        		LSASS Memory31
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		1
        DLL Side-Loading        		21
        Registry Run Keys / Startup Folder        		31
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Application Window Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		11
        Process Injection        		NTDS1
        System Network Configuration Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeylogging2
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
        Obfuscated Files or Information        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Software Packing        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479907 Sample: 7zFM.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 35 2.tcp.eu.ngrok.io 2->35 37 ip-api.com 2->37 45 Multi AV Scanner detection for domain / URL 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 8 other signatures 2->51 8 7zFM.exe 16 5 2->8         started        13 7zFM.exe 3 2->13         started        15 7zFM.exe 2 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 39 2.tcp.eu.ngrok.io 3.126.37.18, 13067, 49734 AMAZON-02US United States 8->39 41 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 8->41 31 C:\Users\user\AppData\Roaming\RCV.EXE, PE32 8->31 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 8->53 55 Uses netsh to modify the Windows network and firewall settings 8->55 57 Modifies the windows firewall 8->57 19 netsh.exe 2 8->19         started        21 netsh.exe 2 8->21         started        23 schtasks.exe 1 8->23         started        43 127.0.0.1 unknown unknown 13->43 33 C:\Users\user\AppData\Local\...\7zFM.exe.log, CSV 13->33 dropped file6 signatures7 process8 process9 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        7zFM.exe45%VirustotalBrowse
        7zFM.exe100%AviraTR/Dropper.MSIL.Gen2
        7zFM.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\RCV.EXE100%AviraHEUR/AGEN.1326753
        C:\Users\user\AppData\Roaming\RCV.EXE100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\RCV.EXE58%ReversingLabsWin32.Trojan.Generic
        C:\Users\user\AppData\Roaming\RCV.EXE65%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        2.tcp.eu.ngrok.io12%VirustotalBrowse
        ip-api.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
        http://www.fontbureau.com0%URL Reputationsafe
        http://www.fontbureau.com/designersG0%URL Reputationsafe
        http://www.fontbureau.com/designers/?0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.fontbureau.com/designers?0%URL Reputationsafe
        http://ocsp.thawte.com00%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fontbureau.com/designers0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.symauth.com/cps0(0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
        http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
        http://www.symauth.com/rpa000%URL Reputationsafe
        http://www.symauth.com/rpa000%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://ip-api.com0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.com/designers80%URL Reputationsafe
        http://www.fonts.com0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://ip-api.com/xml/?fields=countryCode,query0%Avira URL Cloudsafe
        http://ip-api.com/xml/?fields=countryCode0%Avira URL Cloudsafe
        http://foo.com/fooo0%VirustotalBrowse
        http://foo.com/fooo0%Avira URL Cloudsafe
        http://ip-api.com/xml/?fields=country0%Avira URL Cloudsafe
        http://ip-api.com/xml/?fields=countryCode0%VirustotalBrowse
        http://ip-api.com/xml/?fields=country0%VirustotalBrowse
        http://ip-api.com/xml/?fields=countryCode,query0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        2.tcp.eu.ngrok.io
        		3.126.37.18
        		truetrueunknown
        ip-api.com
        		208.95.112.1
        		truefalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ip-api.com/xml/?fields=countryCode,queryfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.07zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designersG7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers/?7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.founder.com.cn/cn/bThe7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ip-api.com/xml/?fields=countryCode7zFM.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.fontbureau.com/designers?7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ocsp.thawte.com07zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.tiro.com7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.goodfont.co.kr7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.symauth.com/cps0(7zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ip-api.com/xml/?fields=country7zFM.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.carterandcone.coml7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.sajatypeworks.com7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.typography.netD7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers/cabarga.htmlN7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.founder.com.cn/cn/cThe7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.galapagosdesign.com/staff/dennis.htm7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.founder.com.cn/cn7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers/frere-user.html7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://crl.thawte.com/ThawteTimestampingCA.crl07zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.symauth.com/rpa007zFM.exe, 00000000.00000002.2954976232.0000021210001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2963346788.0000021219610000.00000004.08000000.00040000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2954976232.0000021210800000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://foo.com/fooo7zFM.exe, 00000008.00000002.1738374957.0000012BDB761000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000009.00000002.1841413310.0000016A03A57000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000D.00000002.1922764094.000001C8DB4A7000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000E.00000002.2001877952.0000020DCAF57000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000F.00000002.2082436706.0000022E15C87000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000010.00000002.2299499740.0000012400047000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000012.00000002.2891677421.000002D8BE7F7000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.jiyu-kobo.co.jp/7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ip-api.com7zFM.exe, 00000000.00000002.2953067535.0000021200089000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2953067535.0000021200070000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000000.00000002.2953067535.000002120007F000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.galapagosdesign.com/DPlease7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers87zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fonts.com7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.sandoll.co.kr7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.urwpp.deDPlease7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.zhongyicts.com.cn7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7zFM.exe, 00000000.00000002.2953067535.0000021200001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000008.00000002.1738374957.0000012BDB761000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000009.00000002.1841413310.0000016A03A11000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000D.00000002.1922764094.000001C8DB461000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000E.00000002.2001877952.0000020DCAF11000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 0000000F.00000002.2082436706.0000022E15C41000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000010.00000002.2299499740.0000012400001000.00000004.00000800.00020000.00000000.sdmp, 7zFM.exe, 00000012.00000002.2891677421.000002D8BE7B1000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.sakkal.com7zFM.exe, 00000000.00000002.2961390589.00000212190A2000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        3.126.37.18
        		2.tcp.eu.ngrok.ioUnited States
        		16509AMAZON-02UStrue
        208.95.112.1
        		ip-api.comUnited States
        		53334TUT-ASUSfalse

        Private

        IP
        127.0.0.1

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1479907
        Start date and time:2024-07-24 10:54:07 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 7m 35s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:19
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:7zFM.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@17/5@2/3
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 56
        • Number of non-executed functions: 3
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target 7zFM.exe, PID 5448 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 6644 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 6724 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 7340 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 7512 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 7660 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 7724 because it is empty
        • Execution Graph export aborted for target 7zFM.exe, PID 7928 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:55:05Task SchedulerRun new task: 7zFM path: C:\Users\user\Desktop\7zFM.exe
        09:55:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 7zFM "C:\Users\user\Desktop\7zFM.exe"
        09:55:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 7zFM "C:\Users\user\Desktop\7zFM.exe"
        09:55:23AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 7zFM "C:\Users\user\Desktop\7zFM.exe"
        09:55:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zFM.lnk

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        3.126.37.184xKDL5YCfQ.exeGet hashmaliciousNjratBrowse
          b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
            tiodtk2cfy.exeGet hashmaliciousNjratBrowse
              pQBmVoyRnw.exeGet hashmaliciousNjratBrowse
                NezbdhNgwG.exeGet hashmaliciousNjratBrowse
                  xdPdkPMD8u.exeGet hashmaliciousNjratBrowse
                    VBUXm77rfL.exeGet hashmaliciousNjratBrowse
                      gEuhLHV0.posh.ps1Get hashmaliciousMetasploitBrowse
                        MibKbjH4.posh.ps1Get hashmaliciousUnknownBrowse
                          kXghM8bJcm.exeGet hashmaliciousNjratBrowse
                            208.95.112.1TxCOT6OBFk.exeGet hashmaliciousUnknownBrowse
                            • ip-api.com/json/?fields=status,message,query,country,regionName,city,isp,timezone
                            M6hS9qGbFx.rtfGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            17217831671683454f6df61f6caa23ed5f4cc5b8f04491a526221f21a1ce37a4fd58746cbb470.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • ip-api.com/json/
                            17217823862eb632fc7d34e74738954b9759cb00e549b63a7beb37128ab350b4d321af771d904.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • ip-api.com/json/
                            Comprovante-Pagamento_66a04578f18a3.jsGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • ip-api.com/json/
                            83M0VAEEuh.exeGet hashmaliciousWhiteSnake StealerBrowse
                            • ip-api.com/line?fields=query,country
                            yt7dW9nyJK.exeGet hashmaliciousWhiteSnake Stealer, XWormBrowse
                            • ip-api.com/line?fields=query,country
                            #U00d6deme Talimat#U01312024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            5i4hBrTNHm.rtfGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comTxCOT6OBFk.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            M6hS9qGbFx.rtfGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            17217831671683454f6df61f6caa23ed5f4cc5b8f04491a526221f21a1ce37a4fd58746cbb470.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            17217823862eb632fc7d34e74738954b9759cb00e549b63a7beb37128ab350b4d321af771d904.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            Comprovante-Pagamento_66a04578f18a3.jsGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            83M0VAEEuh.exeGet hashmaliciousWhiteSnake StealerBrowse
                            • 208.95.112.1
                            yt7dW9nyJK.exeGet hashmaliciousWhiteSnake Stealer, XWormBrowse
                            • 208.95.112.1
                            #U00d6deme Talimat#U01312024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            5i4hBrTNHm.rtfGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            2.tcp.eu.ngrok.ioGame Laucher.exeGet hashmaliciousNjratBrowse
                            • 18.192.93.86
                            10.exeGet hashmaliciousUnknownBrowse
                            • 18.192.93.86
                            En3e396wX1.exeGet hashmaliciousNjratBrowse
                            • 18.197.239.5
                            ZxocxU01PB.exeGet hashmaliciousNjratBrowse
                            • 18.197.239.5
                            4xKDL5YCfQ.exeGet hashmaliciousNjratBrowse
                            • 18.156.13.209
                            R3ov8eFFFP.exeGet hashmaliciousNjratBrowse
                            • 3.127.138.57
                            Ve0c8i5So2.exeGet hashmaliciousNjratBrowse
                            • 18.157.68.73
                            LMQV4V1d3E.exeGet hashmaliciousNjratBrowse
                            • 18.192.93.86
                            b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
                            • 3.127.138.57
                            2G8CgDVl3K.exeGet hashmaliciousNjratBrowse
                            • 18.197.239.5

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            AMAZON-02USBuilding Made Easy Proposal .pdfGet hashmaliciousUnknownBrowse
                            • 54.231.201.144
                            Nin6JE44ky.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                            • 143.204.215.115
                            NUEVO ORDEN01_202407238454854.pdf.exeGet hashmaliciousFormBookBrowse
                            • 3.64.163.50
                            IIMG_00172424.exeGet hashmaliciousFormBookBrowse
                            • 76.223.67.189
                            https://viture.com/windowsGet hashmaliciousUnknownBrowse
                            • 13.35.58.123
                            MsSpellCheckingFacility.dll.dllGet hashmaliciousUnknownBrowse
                            • 18.245.62.218
                            MsSpellCheckingFacility.dll.dllGet hashmaliciousUnknownBrowse
                            • 18.245.62.95
                            GE AEROSPACE USA - WIRE REMITTANCE_.xlsxGet hashmaliciousHTMLPhisherBrowse
                            • 18.245.33.131
                            file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                            • 143.204.215.122
                            file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                            • 143.204.215.122
                            TUT-ASUSTxCOT6OBFk.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            M6hS9qGbFx.rtfGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            17217831671683454f6df61f6caa23ed5f4cc5b8f04491a526221f21a1ce37a4fd58746cbb470.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            17217823862eb632fc7d34e74738954b9759cb00e549b63a7beb37128ab350b4d321af771d904.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            Comprovante-Pagamento_66a04578f18a3.jsGet hashmaliciousClipboard Hijacker, QuasarBrowse
                            • 208.95.112.1
                            83M0VAEEuh.exeGet hashmaliciousWhiteSnake StealerBrowse
                            • 208.95.112.1
                            yt7dW9nyJK.exeGet hashmaliciousWhiteSnake Stealer, XWormBrowse
                            • 208.95.112.1
                            #U00d6deme Talimat#U01312024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            5i4hBrTNHm.rtfGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Users\user\AppData\Roaming\RCV.EXEInjector.exeGet hashmaliciousZTratBrowse
                              Windows21.exeGet hashmaliciousZTratBrowse
                                10.exeGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7zFM.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\7zFM.exe
                                  File Type:CSV text
                                  Category:dropped
                                  Size (bytes):1742
                                  Entropy (8bit):5.38333519179651
                                  Encrypted:false
                                  SSDEEP:48:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0HKCtHTHhAHKKkBAmHKcA9:iqbYqGSI6o9Zp/ellwmj0qCtzHeqKkBY
                                  MD5:0BE948BBCA74F85B3D2B466D6582C6F4
                                  SHA1:D6BDEC569DD5C748A94668D77109623322A79B9B
                                  SHA-256:A2C775508E39F74CC88A5BC9BE11D42F6A0EED68F7B4271B123F45D9C9E65E51
                                  SHA-512:23175FBFA21EFC503BDADE9CC7939EFA1E4377EB1CC572C44B37E3BAF673E29AB8F3BC1EF4A720CC7511C98A85A8034AB94DD143DE69826AB2D114EAC2D7CA30
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zFM.lnk

                                  Download File
                                  Process:C:\Users\user\Desktop\7zFM.exe
                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:33 2023, mtime=Wed Jul 24 07:55:02 2024, atime=Wed Jul 24 07:54:59 2024, length=2182144, window=hide
                                  Category:dropped
                                  Size (bytes):571
                                  Entropy (8bit):5.080355506036105
                                  Encrypted:false
                                  SSDEEP:12:8TNaqM//sDzYNbR1cf3kdsi5QjA6x3Ecc5zBmV:8TNaqs1n14kp5EAk3a5zBm
                                  MD5:FF6E7844A533C26B87BB7B12303EE930
                                  SHA1:0A3A7FE749FA02E0E5E6D58221D006085EDE124C
                                  SHA-256:251BBD18369612B94125277E55F149730EDE134953D4DB7688D78B6F1C235380
                                  SHA-512:07F37D79C49DB9FA52CF1D880E750856C4F97E1B56D7FF2414EFD24D0A3B0EA7071F8076C63F8AC55A2B09E898A92906F65E344A9BAD068F6F6CE62A2AE1734E
                                  Malicious:false
                                  Reputation:low
                                  Preview:L..................F.... .....s........,.......).....L!..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v....q.n......CZ,......Z.2..L!..X.F .7zFM.exe..B......DWQ`.X.F..........................5.P.7.z.F.M...e.x.e.......N...............-.......M...........Y........C:\Users\user\Desktop\7zFM.exe..%.....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.7.z.F.M...e.x.e.`.......X.......621365...........hT..CrF.f4... .t.T..b...,.......hT..CrF.f4... .t.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                  C:\Users\user\AppData\Roaming\RCV.EXE

                                  Download File
                                  Process:C:\Users\user\Desktop\7zFM.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):1332736
                                  Entropy (8bit):7.966916525535396
                                  Encrypted:false
                                  SSDEEP:24576:PRQmcVNit/+nmGSbhn1s6zUwY4x2FiZlD+DnX7:PGvbmGSbh1s69YbFifyj
                                  MD5:134400FB7EFE11BFC5A01108FCEDDE82
                                  SHA1:60ADE212C51804B3E1B762EC589D23B3639F5BAA
                                  SHA-256:50BA6F23ECABABDAB3CE09CD1E93EDCE9539EB82E2D51C9A38D84CBD896EEEF2
                                  SHA-512:7699926C51375E62AEBF18B5B4A8D6F9F302DA3D218EB328872D7E89899CA7ECA86A932AD44B285412BE0352FFA24ED216E72224015FA6D4BCE4C5BFDEC9BCA6
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 58%
                                  • Antivirus: Virustotal, Detection: 65%, Browse
                                  Joe Sandbox View:
                                  • Filename: Injector.exe, Detection: malicious, Browse
                                  • Filename: Windows21.exe, Detection: malicious, Browse
                                  • Filename: 10.exe, Detection: malicious, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k~f.................J...........h... ........@.. .......................................................................h..K.......D...........................Rh............................................... ............... ..H............text....H... ...J.................. ..`.sdata...............N..............@....rsrc...D............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  \Device\ConDrv

                                  Download File
                                  Process:C:\Windows\System32\netsh.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):110
                                  Entropy (8bit):4.898570146268789
                                  Encrypted:false
                                  SSDEEP:3:SKpJOLz3WF+RUepJVcFLzBVZEIIt+WfWSfxX0grmPn:wL73CepJK3jZhIwvSfh09
                                  MD5:46B8CD96CE4939D11B9FEEEA75C91624
                                  SHA1:7972A431A9B2CD717DDC54A6BAD84F238A6ECCEF
                                  SHA-256:89D52A585B8E89ECE19A7C6AB87096DB8889D26A2DFACDF107A74A817D83CC2F
                                  SHA-512:6ADB570B409AAE29D99FD5F7504EBCA3DBCF898E9D34489107EEB8B205313850DA8DB02FE1C71171E247DC674DDE7BAEEC5DB0A83EE6F2F15ABAA15E4E788425
                                  Malicious:false
                                  Preview:The following command was not found: firewall add allowedprogramC:\Users\user\Desktop\7zFM.exe 7zFM ENABLE...

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.976608933636009
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:7zFM.exe
                                  File size:2'182'144 bytes
                                  MD5:2fe0f2549f86229893dd19c6c1f308a9
                                  SHA1:aed113015b019a3f362403a64218b4dffc905b84
                                  SHA256:56876aad7e2cdb3f685ebe5fb66a08a8c5f418da061a823f91d96317d3e89fad
                                  SHA512:8231f273a3703ca59b47954be08b9f0c4d3bd1cb8b17192b645d3957631a47e5d42edc23b9ca40d55a3d6c3f909c53da199571dec473bb8d0c182aad6690c793
                                  SSDEEP:49152:q/cwmUWw4qu0YrZy0n9TpAmUguondIWpL1YQRhdVNbexGnbbWZ67ZSiw7nI6P:qkU3xY5FpAHguYLr7VNaeXR3
                                  TLSH:CFA523A4A3A5CF13D57E97BCDB7092611774AC62A643EF5AADE170DE1F332104E086C2
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!..f.................0!..........N!.. ........@.. ........................!...........`................................

                                  File Icon

                                  Icon Hash:b8868baba9aba2d8

                                  Static PE Info

                                  General

                                  Entrypoint:0x614ede
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66A0BF21 [Wed Jul 24 08:45:21 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x214e8c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2160000x161c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2180000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x212ee40x213000ae301cda12a6277e60bfa2bea04b06a6unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x2160000x161c0x180046a70565d5f1010f1c47de78573924ddFalse0.20768229166666666data3.099321909266737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x2180000xc0x200e8d8ef93b3eaf06d24f288188493b0c1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x2161480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.16532258064516128
                                  RT_ICON0x2164300x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.32094594594594594
                                  RT_ICON0x2165580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 26880.18310234541577824
                                  RT_GROUP_ICON0x2174000x30data0.9166666666666666
                                  RT_MANIFEST0x2174300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 24, 2024 10:55:05.600248098 CEST4973413067192.168.2.43.126.37.18
                                  Jul 24, 2024 10:55:05.607496023 CEST13067497343.126.37.18192.168.2.4
                                  Jul 24, 2024 10:55:05.607682943 CEST4973413067192.168.2.43.126.37.18
                                  Jul 24, 2024 10:55:06.068134069 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:55:06.073707104 CEST8049735208.95.112.1192.168.2.4
                                  Jul 24, 2024 10:55:06.073846102 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:55:06.074218035 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:55:06.080156088 CEST8049735208.95.112.1192.168.2.4
                                  Jul 24, 2024 10:55:06.555342913 CEST8049735208.95.112.1192.168.2.4
                                  Jul 24, 2024 10:55:06.597750902 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:55:06.773680925 CEST4973413067192.168.2.43.126.37.18
                                  Jul 24, 2024 10:55:06.779350996 CEST13067497343.126.37.18192.168.2.4
                                  Jul 24, 2024 10:55:44.336581945 CEST8049735208.95.112.1192.168.2.4
                                  Jul 24, 2024 10:55:44.336783886 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:56:46.570723057 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:56:46.879292965 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:56:47.488553047 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:56:48.691975117 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:56:51.098041058 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:56:55.910600901 CEST4973580192.168.2.4208.95.112.1
                                  Jul 24, 2024 10:57:05.519984007 CEST4973580192.168.2.4208.95.112.1

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 24, 2024 10:55:05.548548937 CEST6103353192.168.2.41.1.1.1
                                  Jul 24, 2024 10:55:05.560436964 CEST53610331.1.1.1192.168.2.4
                                  Jul 24, 2024 10:55:06.034251928 CEST5491253192.168.2.41.1.1.1
                                  Jul 24, 2024 10:55:06.044133902 CEST53549121.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 24, 2024 10:55:05.548548937 CEST192.168.2.41.1.1.10x5986Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                  Jul 24, 2024 10:55:06.034251928 CEST192.168.2.41.1.1.10xfc50Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 24, 2024 10:55:05.560436964 CEST1.1.1.1192.168.2.40x5986No error (0)2.tcp.eu.ngrok.io3.126.37.18A (IP address)IN (0x0001)false
                                  Jul 24, 2024 10:55:06.044133902 CEST1.1.1.1192.168.2.40xfc50No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ip-api.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449735208.95.112.1807340C:\Users\user\Desktop\7zFM.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 24, 2024 10:55:06.074218035 CEST89OUTGET /xml/?fields=countryCode,query HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Jul 24, 2024 10:55:06.555342913 CEST292INHTTP/1.1 200 OK
                                  Date: Wed, 24 Jul 2024 08:55:06 GMT
                                  Content-Type: application/xml; charset=utf-8
                                  Content-Length: 116
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 60
                                  X-Rl: 44
                                  Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 71 75 65 72 79 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 71 75 65 72 79 3e 0a 3c 2f 71 75 65 72 79 3e
                                  Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <countryCode>US</countryCode> <query>8.46.123.33</query></query>


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:04:55:00
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\7zFM.exe"
                                  Imagebase:0x2127d480000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_ZTrat, Description: Yara detected ZTrat, Source: 00000000.00000000.1686714973.000002127D482000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:04:55:02
                                  Start date:24/07/2024
                                  Path:C:\Windows\System32\netsh.exe
                                  Wow64 process (32bit):false
                                  Commandline:netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE
                                  Imagebase:0x7ff77e0e0000
                                  File size:96'768 bytes
                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:04:55:02
                                  Start date:24/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:55:02
                                  Start date:24/07/2024
                                  Path:C:\Windows\System32\netsh.exe
                                  Wow64 process (32bit):false
                                  Commandline:netsh firewall add allowedprogram"C:\Users\user\Desktop\7zFM.exe" "7zFM" ENABLE
                                  Imagebase:0x7ff77e0e0000
                                  File size:96'768 bytes
                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:04:55:02
                                  Start date:24/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:04:55:03
                                  Start date:24/07/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\user\Desktop\7zFM.exe"
                                  Imagebase:0x7ff76f990000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:04:55:03
                                  Start date:24/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:04:55:05
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\Desktop\7zFM.exe
                                  Imagebase:0x12bd99a0000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:04:55:15
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\7zFM.exe"
                                  Imagebase:0x16a01c30000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:04:55:23
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\7zFM.exe"
                                  Imagebase:0x1c8d9410000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:04:55:31
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\7zFM.exe"
                                  Imagebase:0x20dc9110000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:04:55:39
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\7zFM.exe"
                                  Imagebase:0x22e13da0000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:04:56:01
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\Desktop\7zFM.exe
                                  Imagebase:0x1246c350000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:04:57:00
                                  Start date:24/07/2024
                                  Path:C:\Users\user\Desktop\7zFM.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\Desktop\7zFM.exe
                                  Imagebase:0x2d8bc890000
                                  File size:2'182'144 bytes
                                  MD5 hash:2FE0F2549F86229893DD19C6C1F308A9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FFD9B8A721D Relevance: 7.6, Strings: 2, Instructions: 5070COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: J]_H$`]_H
                                    • API String ID: 0-2066162018
                                    • Opcode ID: 09e48aac743f3a9cc322accc4105ba35a7a1c1c6c9af7888e4703720bea53cb1
                                    • Instruction ID: ced57ef2115a4431f94a2397ea17ec050b86bb71331d6afbbf242db9a53c3e55
                                    • Opcode Fuzzy Hash: 09e48aac743f3a9cc322accc4105ba35a7a1c1c6c9af7888e4703720bea53cb1
                                    • Instruction Fuzzy Hash: 56936E70A0961D8FDBA4EF58C8A4BA8B7B1FF59304F5041F9D01DD72A6CE35AA81CB50
                                    Function 00007FFD9B8A39D9 Relevance: 1.7, Instructions: 1674COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: acb28b9277f486aee264cfb2cb0e4b932a864000cdb69ad1188bfcb0b0114d20
                                    • Instruction ID: 1e23a9a8067d74ec8f3f98a40dcf1754b72334250977493b2afcb3e362dd99c4
                                    • Opcode Fuzzy Hash: acb28b9277f486aee264cfb2cb0e4b932a864000cdb69ad1188bfcb0b0114d20
                                    • Instruction Fuzzy Hash: 02D2FB70A09A5D8FDB99EF18C8A4BE9B7F1FF59300F4401EAD01DD7296DA346A81CB11
                                    Function 00007FFD9B8A3C1F Relevance: 1.3, Instructions: 1323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 891ac92cf2bb56a469ea388e9067fc834cabd067c310e5fa2a7a6783e3c7aa00
                                    • Instruction ID: 83464ff8237fab50ec8b3263aa2d64656e060f9b80038c1bfc9a5694be9045bf
                                    • Opcode Fuzzy Hash: 891ac92cf2bb56a469ea388e9067fc834cabd067c310e5fa2a7a6783e3c7aa00
                                    • Instruction Fuzzy Hash: 5AB2FB70A09A5D8FDB99EF18C8A4BA9B7F1FF59300F4401EAD01DD7296CA356A81CF11
                                    Function 00007FFD9B8B0826 Relevance: .5, Instructions: 474COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b87abe89c8179b556978a8ba7851dc399be3817042f9272fea53fa8dc5b7452
                                    • Instruction ID: 0cef54bd072eed5552b2caffb8bb57aefdf84d16bb5687e561727eff5e0e99e0
                                    • Opcode Fuzzy Hash: 1b87abe89c8179b556978a8ba7851dc399be3817042f9272fea53fa8dc5b7452
                                    • Instruction Fuzzy Hash: 35F1D830A19A4D8FEBA8DF38C8657E937D1FF58310F04426EE85DC72A5DB3499458B82
                                    Function 00007FFD9B8B15D2 Relevance: .5, Instructions: 460COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c0d9997267d7d6d8da288797946bafe38054d0135e7b5c60a3aa1ef4db72abfc
                                    • Instruction ID: 33fdbc4822a9120730ec32aef407f9422d30d7c8204c33ad1d4bd8a64c4ca1f0
                                    • Opcode Fuzzy Hash: c0d9997267d7d6d8da288797946bafe38054d0135e7b5c60a3aa1ef4db72abfc
                                    • Instruction Fuzzy Hash: 32E1D730619A4E8FEBA8EF68C8657E977E1FF58310F04426ED84DC72A5CE7499418BC1
                                    Function 00007FFD9B8AC39D Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: aG]I$G]I
                                    • API String ID: 0-3889915672
                                    • Opcode ID: 43ea7dc5de0eaf4d1d0fd70934229501dba453da2cfb9b0b97bb0936f839bc5c
                                    • Instruction ID: b63416fc5a1e3544682ec2b20233548d4b74b911c205b7944ea0ca0423ad0681
                                    • Opcode Fuzzy Hash: 43ea7dc5de0eaf4d1d0fd70934229501dba453da2cfb9b0b97bb0936f839bc5c
                                    • Instruction Fuzzy Hash: 61811371E0DA4C4FDB54EF9888596E87BE1FF58300F1481ABD448D3296DB34A885CB81
                                    Function 00007FFD9B8A2093 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: H
                                    • API String ID: 0-2852464175
                                    • Opcode ID: e93196ebdea7a754b0548ebf50b7e9e983001b76ccee847e37417e89086173c9
                                    • Instruction ID: 73f1f59926a967f71eb235b28b556bf429a5843abc136a6d06e4f985633966bd
                                    • Opcode Fuzzy Hash: e93196ebdea7a754b0548ebf50b7e9e983001b76ccee847e37417e89086173c9
                                    • Instruction Fuzzy Hash: DDA13A70A19A5D8FEBA8EF98D8647E8B7F1FF59300F4500B9D00DD72A2DA35A941CB50
                                    Function 00007FFD9B8B11E6 Relevance: .3, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e11438b1ee3238fc4ebe6c80f1a36fbebef2fff02925d5bd4ba664abbfff40e
                                    • Instruction ID: 0202abb9af5073f01619c8609f02ecf32f76d014fbb2ee61bd9a850c0dd0e737
                                    • Opcode Fuzzy Hash: 2e11438b1ee3238fc4ebe6c80f1a36fbebef2fff02925d5bd4ba664abbfff40e
                                    • Instruction Fuzzy Hash: E4B1E93061DA4D4FDB68EF28C8557E93BD1FF59310F04426EE84DC7296DA749941CB82
                                    Function 00007FFD9B8ACBAD Relevance: .3, Instructions: 304COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dfc0319b39f5f6fdb7591a76d9b88ecff4b0890776056e8725d75b0cfb932d58
                                    • Instruction ID: 3cf396580125f608df87d238591461ee16d937c035c6d4ad9c8d771eea270251
                                    • Opcode Fuzzy Hash: dfc0319b39f5f6fdb7591a76d9b88ecff4b0890776056e8725d75b0cfb932d58
                                    • Instruction Fuzzy Hash: FEA12A30E0965D8FDBA5DF68C8547ACBBB5FF5A304F5040AAD00DE7292DA35A981CB50
                                    Function 00007FFD9B8A5382 Relevance: .3, Instructions: 296COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8ba81d1609ddf21ee935df751608f70c5ca8c35a51ef30717b9107b6daf53941
                                    • Instruction ID: 95bf90eb5b3edcc1c4246ccf57026700bacf107d29d82f1ed9fcb544b9a32ff5
                                    • Opcode Fuzzy Hash: 8ba81d1609ddf21ee935df751608f70c5ca8c35a51ef30717b9107b6daf53941
                                    • Instruction Fuzzy Hash: C9A18030A0994D8FEB95EF68C864BEDBBF1FF59301F5500A6D00DD72A6DA346981CB11
                                    Function 00007FFD9B8A56B9 Relevance: .3, Instructions: 288COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5c65f2fec72600d4d261edea3e9e7cbc9dcfbb16f358903dcda04e0adb95b508
                                    • Instruction ID: e1aef99da627dfba6d844eb57a77f0f93744262c0659e2fda64d7e2f6cdf1306
                                    • Opcode Fuzzy Hash: 5c65f2fec72600d4d261edea3e9e7cbc9dcfbb16f358903dcda04e0adb95b508
                                    • Instruction Fuzzy Hash: 8DA1D771A0895C8FDF94EF6CC899EA9BBF1FF69301F0501A6E00DD7265CA34A881CB40
                                    Function 00007FFD9B8A62E6 Relevance: .2, Instructions: 233COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20060619b291f9b09e550137dfb61ea495f04faa2ff81407f182064bebe110df
                                    • Instruction ID: e10b02f6fa7481af2c9fe3abf58cf2e108ba7799cb4caa4864549b29d80af845
                                    • Opcode Fuzzy Hash: 20060619b291f9b09e550137dfb61ea495f04faa2ff81407f182064bebe110df
                                    • Instruction Fuzzy Hash: 9F919334A1891D8FDBA5EB28C854BE9B7B2FF59301F5041F9D41DE3296CA34AA818F40
                                    Function 00007FFD9B8A2850 Relevance: .2, Instructions: 203COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 93066b5dffcd681fe1425a172c334f172db5ebefad9e64063ac314407d33cc59
                                    • Instruction ID: b104b482840ca9133a640cb86071c084def6b40207eee1d650330314d43c81da
                                    • Opcode Fuzzy Hash: 93066b5dffcd681fe1425a172c334f172db5ebefad9e64063ac314407d33cc59
                                    • Instruction Fuzzy Hash: 8061DB31A0898D8FDB8DDF58C4A49E97BF1FF5D340B1441AAD449DB3A6DA31A842CB10
                                    Function 00007FFD9B8ADD1C Relevance: .2, Instructions: 195COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e19697486d591441880f972a24b85329ebcbe04ddee7047b0cd3601e7edc9184
                                    • Instruction ID: 40a5c820d6dfe2988b01f65744d1638ae6b8ad45440c213bba5baf9d27fa1e61
                                    • Opcode Fuzzy Hash: e19697486d591441880f972a24b85329ebcbe04ddee7047b0cd3601e7edc9184
                                    • Instruction Fuzzy Hash: 57517230908A1C8FDB68DF58D855BE9BBF1FF59310F1082AAD44DD3296DE34A9858F81
                                    Function 00007FFD9B8A603D Relevance: .2, Instructions: 194COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aaa7592c78a64568855c595865386dbb84ce6ccd7db37228c15a36916556bf69
                                    • Instruction ID: c8abb1775f77011c8c1534df4ec8f03291874323f5cc2b4c3b0553445e4ce0b3
                                    • Opcode Fuzzy Hash: aaa7592c78a64568855c595865386dbb84ce6ccd7db37228c15a36916556bf69
                                    • Instruction Fuzzy Hash: ED612D71A09A5D8FDBA4EF58D898BAD77F2FF58300F10016AE41DD7255DB30A981CB40
                                    Function 00007FFD9B8A50FD Relevance: .2, Instructions: 183COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 569069ef830766f09d77cc7df469f7ecbc535adb274bc0991d4c8fb5e38f3b17
                                    • Instruction ID: 680cd846cc991d475f981d8fb73230f48d062b0408f95aaf7c4f096dd04fd1b8
                                    • Opcode Fuzzy Hash: 569069ef830766f09d77cc7df469f7ecbc535adb274bc0991d4c8fb5e38f3b17
                                    • Instruction Fuzzy Hash: BF517D3198E6DA5FD70797649C324EA7FB4DF07325B1A02A3D088CB1A3C51D6687C3A1
                                    Function 00007FFD9B8A696D Relevance: .2, Instructions: 174COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1e62e180b2c5122b58061e8fba5e3d2168db4a6617a457bdfda468de550135c6
                                    • Instruction ID: 6f62fd9ba7633f9193e8e3d9f294a8767d51a350cd26f44a77224a127b635040
                                    • Opcode Fuzzy Hash: 1e62e180b2c5122b58061e8fba5e3d2168db4a6617a457bdfda468de550135c6
                                    • Instruction Fuzzy Hash: 3F1187A1A0E7DA4FD7238F684C651A97FB0EF17210F4A50F7D098C70E7DA246515C351
                                    Function 00007FFD9B8A3830 Relevance: .2, Instructions: 173COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: afd8b5e83379950b6cd8ee991897cf0948ae5d06c13b6335e2084a23d50676b3
                                    • Instruction ID: d865dcc93d5b8769baaa4c5bce7665e0abb842a1a09a1bb17e512c1445d77c92
                                    • Opcode Fuzzy Hash: afd8b5e83379950b6cd8ee991897cf0948ae5d06c13b6335e2084a23d50676b3
                                    • Instruction Fuzzy Hash: 6851297190E6998FEB59DF68D8656E9BBA0FF0A300F0500BBD059871D3DA38A941C750
                                    Function 00007FFD9B8A3858 Relevance: .2, Instructions: 161COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d1213f754635561454709cbdfc83517781ed02394e183be2385b3bc9baab3f17
                                    • Instruction ID: 9a516679fba666cc74b30587dda46ded988fdc53db007dfb3479555b499ea5b8
                                    • Opcode Fuzzy Hash: d1213f754635561454709cbdfc83517781ed02394e183be2385b3bc9baab3f17
                                    • Instruction Fuzzy Hash: 43510771A0E69D8FEB55DFA8D8646E9BBB0FF0A300F0500BAD059971E3CA38A945C751
                                    Function 00007FFD9B8A3860 Relevance: .2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a360f13e3ffa3f37988fa901aa80804f8c5e694d5298442f0aca03c1b95411d7
                                    • Instruction ID: 048613d9f390a62ea64f6325b72932a23d91597a1e9a7f6848782ec323dd6bd0
                                    • Opcode Fuzzy Hash: a360f13e3ffa3f37988fa901aa80804f8c5e694d5298442f0aca03c1b95411d7
                                    • Instruction Fuzzy Hash: E5510671A0E69D8FEB55DFA8D8646E9BBB0FF0A300F0500BAD059D71E2CA38A945C751
                                    Function 00007FFD9B8A2749 Relevance: .1, Instructions: 145COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67a34286d100ca31d5ea03ce8c046710ca2b5de9e62200ceab68f215bdec56d0
                                    • Instruction ID: cb2b6f405f9c086857e42f078f0e0d24138577276d36f93c7e9d3dbc915bc875
                                    • Opcode Fuzzy Hash: 67a34286d100ca31d5ea03ce8c046710ca2b5de9e62200ceab68f215bdec56d0
                                    • Instruction Fuzzy Hash: 04412731A0DA8E8FEBA9DF68D8646E97BB1FF49340F0501BAD009C71E6DE346945C701
                                    Function 00007FFD9B8A227F Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c16289810388fc3ef5812a756913d3f0b886cbbc88ac14038ed2df6667f7708d
                                    • Instruction ID: 8300053306ca4c0a0bd354c132c0708409dfaf9f93ed43231f47f7f06698edcd
                                    • Opcode Fuzzy Hash: c16289810388fc3ef5812a756913d3f0b886cbbc88ac14038ed2df6667f7708d
                                    • Instruction Fuzzy Hash: BC41FB30E1995D8FDFA8EF58D864BA9B7B1FFA9300F5001A9D40ED72A5DB35A941CB00
                                    Function 00007FFD9B8B1D30 Relevance: .1, Instructions: 103COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 64583c6bf390a716ae8b823a5d57ec6b6b8a330c4a152a21f8f2da3262617de4
                                    • Instruction ID: ca4b329af761082349a43365b33e144fb86e7373173ab396a5c08582041dd5d9
                                    • Opcode Fuzzy Hash: 64583c6bf390a716ae8b823a5d57ec6b6b8a330c4a152a21f8f2da3262617de4
                                    • Instruction Fuzzy Hash: 4E316D31A0994D8FDF95EFACD494AEC7BF1FF59310F050166E009E72A1CA71A981CB80
                                    Function 00007FFD9B8A5941 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e6d7bf64b53a52fe00491ba2110cd9c733f7605a1be6d3a95763eb4f720711e
                                    • Instruction ID: d6b3c39a9a17c710d3e6be2d2d70c52793866ced4012d52cffc4758cab572766
                                    • Opcode Fuzzy Hash: 6e6d7bf64b53a52fe00491ba2110cd9c733f7605a1be6d3a95763eb4f720711e
                                    • Instruction Fuzzy Hash: A0219F30E0DA4D8FDF51DBA8D8A46ECBBF0FF1A310F05006AE049E72A2CA745945C711
                                    Function 00007FFD9B8A1E70 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 06e2986544ce8e943c3657c43735bd02626e55b6bcc1242a8bcc4c3d8c6cf7cb
                                    • Instruction ID: be2f1374a7fdb735373cdd8bcdefbf53df2bb2cde640923069e9a03da399ae13
                                    • Opcode Fuzzy Hash: 06e2986544ce8e943c3657c43735bd02626e55b6bcc1242a8bcc4c3d8c6cf7cb
                                    • Instruction Fuzzy Hash: 0F212430E0990D8FDB94EF98E894AEDB7F1FF59311F04012AE009E72A5DB74A985CB51
                                    Function 00007FFD9B8A2A45 Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72b20e1037f21e68980ebdccb2fd8d81c903582d82c19c57fc86bd09c4f2a052
                                    • Instruction ID: 3ef0f2a6229ba9d97f9beed6d5d7f1175f4aee1c322256770337c668cba58126
                                    • Opcode Fuzzy Hash: 72b20e1037f21e68980ebdccb2fd8d81c903582d82c19c57fc86bd09c4f2a052
                                    • Instruction Fuzzy Hash: 07214F31A0964D8FDB65DFA8D8646EDBBF1FF49300F05007AD059E3291CA396945CB51
                                    Function 00007FFD9B8A0DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction ID: e9654df952adeb3aa66d8b6e3ce7e8e6d98190cb59907de227fb940dcfa07003
                                    • Opcode Fuzzy Hash: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction Fuzzy Hash: AB11C13060664A8FE71ADF30E8606E97761FF8A304F464839E42D871D2CA7EA912C741
                                    Function 00007FFD9B8A6198 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f789da2d1ce3d6a148b7e9c7cc52cab7155ed81b8844a371bf51dada1a10b8e7
                                    • Instruction ID: 3248811bb13ed144794c51c6cb079a91e8cb6742802d78a22e98089e62d7e17d
                                    • Opcode Fuzzy Hash: f789da2d1ce3d6a148b7e9c7cc52cab7155ed81b8844a371bf51dada1a10b8e7
                                    • Instruction Fuzzy Hash: DA113D71E08A5D8FDBA8EF28C8647A977F2FF59340F5101AA904DD7295CB346E858B01
                                    Function 00007FFD9B8A5B4A Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1157fec3936421c7c0bb22acbdb2e68b794c0601c2f69d87b899f9c174b197ac
                                    • Instruction ID: bd9dc11d0866aa7f66998e1f5063dc6c8b183ef21a9bb8af133ba5d067c5aa6c
                                    • Opcode Fuzzy Hash: 1157fec3936421c7c0bb22acbdb2e68b794c0601c2f69d87b899f9c174b197ac
                                    • Instruction Fuzzy Hash: 38114531A1991D9FEF90EFA8D854AEDB7F1FF58301F000576E408E32A5CB34A9808B80
                                    Function 00007FFD9B8A5B50 Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5cd5ec7f11e2a1bb4a3fd65d730a826b3c4019e3571eabdb869adb6685c56a73
                                    • Instruction ID: d9eda176a4ddcd0fa391f92b50c36eac0fdb83bb56a4cd08e855e4fdce4541c7
                                    • Opcode Fuzzy Hash: 5cd5ec7f11e2a1bb4a3fd65d730a826b3c4019e3571eabdb869adb6685c56a73
                                    • Instruction Fuzzy Hash: 98113530A1891D9FDF90EF98D854AEEB7F1FB58301F010476E408E32A5CB34A8808B90
                                    Function 00007FFD9B8A6242 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d1fe47eeb38faf163c0ddd943f961bb523bfa6dbba4a0b75532bc6fc525a5703
                                    • Instruction ID: 0523dd07442fb033301bc6f3b55e1bb93df8db25a40a05c2f3058f5d97aeb99e
                                    • Opcode Fuzzy Hash: d1fe47eeb38faf163c0ddd943f961bb523bfa6dbba4a0b75532bc6fc525a5703
                                    • Instruction Fuzzy Hash: C611DAB1E0995D8FEBE4EB58D894BA9B7B2FF59201F1041E6D50CE3269CB306981CB50
                                    Function 00007FFD9B8A0A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction ID: cde241e234edd6c87e5c0862e583704cb17d3b4ea708c9f60c42bc43bdcf5a7f
                                    • Opcode Fuzzy Hash: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction Fuzzy Hash: 2B114830D1A64E8FD751EF6488292FD7AB0FF5A300F4104AAD05DD7192DB38AA04CB51
                                    Function 00007FFD9B8A344D Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 887fa6dec16a6a513cde0bc03af21832313b282cf93590d0237e31d4a9f97cd1
                                    • Instruction ID: 6b98606317e7987b837fe6948c2ae659099f4745cb267fc9216bdc849d50bc4a
                                    • Opcode Fuzzy Hash: 887fa6dec16a6a513cde0bc03af21832313b282cf93590d0237e31d4a9f97cd1
                                    • Instruction Fuzzy Hash: 6EF03031A0665D8FDB68DFA4D8507E9B371FF8A301F4144B9D00D97252CE769AD5CB10
                                    Function 00007FFD9B8A086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction ID: a5c99de081a32c13dd8050e5313f3a96bc6e77ce2adb982765b1069e9924d021
                                    • Opcode Fuzzy Hash: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction Fuzzy Hash: AAE0923160F2CD4ED72717E408651E8BF60EF47208F0A01F6D48C464E7D95D5658C362
                                    Function 00007FFD9B8A20B0 Relevance: .0, Instructions: 25COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 637ea71d7746942bba57319c95d1ac00f9de39aaf183627c52a6d9b73550aa47
                                    • Instruction ID: 570a32f8149c900c6c114756d8da529703b8bca1944c9792d0160141694cf3d7
                                    • Opcode Fuzzy Hash: 637ea71d7746942bba57319c95d1ac00f9de39aaf183627c52a6d9b73550aa47
                                    • Instruction Fuzzy Hash: 4DE07535A1880E8FCF98EF88D481DEEB7B0FB68310F101162D519E3155D634E9918B90

                                    Non-executed Functions

                                    Function 00007FFD9B8AA9AF Relevance: .9, Instructions: 882COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2970424134.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 18c200a21452a75b512837ec56738f39c91b32d8bacae585bddca126194978a1
                                    • Instruction ID: e9e17f48ecb39e236b2ce8fd627ce012b72fb158fa3e7531feb405f8f4802e02
                                    • Opcode Fuzzy Hash: 18c200a21452a75b512837ec56738f39c91b32d8bacae585bddca126194978a1
                                    • Instruction Fuzzy Hash: 1F724A70A0865D8FDBA5EF28C864BA9B7B1FF5A304F4441F9D01DD7296CA35AA81CF10

                                    Executed Functions

                                    Function 00007FFD9B890DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1739059355.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b890000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b92ddc44f52931f209bee8faf7ad7c67d6f68cda465db62e662df9df8fa1bd4
                                    • Instruction ID: 6a73d1df6a9777ed21714351f9b970dc50f5ab31a0a241bad934181232a1f048
                                    • Opcode Fuzzy Hash: 2b92ddc44f52931f209bee8faf7ad7c67d6f68cda465db62e662df9df8fa1bd4
                                    • Instruction Fuzzy Hash: 0111C43060624A8FEB19DF30D8506E97761FF4A304F420839D41DC71D1CA7EA912C741
                                    Function 00007FFD9B890A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1739059355.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b890000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 120bfcb8b66021861b3e948f5f8976d6b7e8850de915d9122d8ebf8c85943da6
                                    • Instruction ID: 82ad8715b043f9bebae78d3cbcc170bb97e7c75a9aefe355010c27b48ab6cb36
                                    • Opcode Fuzzy Hash: 120bfcb8b66021861b3e948f5f8976d6b7e8850de915d9122d8ebf8c85943da6
                                    • Instruction Fuzzy Hash: 29114830D1E64E8FDB55EFA488292FD7AB0FF1A300F4105AAD059D71A2DB389A048B81
                                    Function 00007FFD9B89086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1739059355.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b890000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 778543f4b0506bff31b4d1d4f99735056e846dff6f4aa251d86fdb2620862ad8
                                    • Instruction ID: 9be83c978c5b227f1043c3ac1258b7cd5774b4c43fc683f1968bd93d8823ce4c
                                    • Opcode Fuzzy Hash: 778543f4b0506bff31b4d1d4f99735056e846dff6f4aa251d86fdb2620862ad8
                                    • Instruction Fuzzy Hash: A6E0923160F2CC4EDB2317A408650E83F60EF47208F4A01F6D498560E7D95D5658C352

                                    Non-executed Functions

                                    Function 00007FFD9B8915FA Relevance: 15.4, Strings: 12, Instructions: 355COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1739059355.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b890000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Zv$Zv$Zv$Zv$Zv$Zv$Zv$Zv$Zv$Zv$Zv$Zv
                                    • API String ID: 0-1411404055
                                    • Opcode ID: dfd246542e6d2d65a4bd9c838cfbea9d86d6c2da3bcf20d4a2deeb29cb25aa3f
                                    • Instruction ID: 78d123ca78da85cff55830618abc6f7842fba11a74e1aa33ec6cd59f4a634e75
                                    • Opcode Fuzzy Hash: dfd246542e6d2d65a4bd9c838cfbea9d86d6c2da3bcf20d4a2deeb29cb25aa3f
                                    • Instruction Fuzzy Hash: AAB16230E0964D8FDB59DF68C4A4AAD7BB2FF4A344F1400AED40DE72A6CB356940DB51

                                    Executed Functions

                                    Function 00007FFD9B8A0DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1842180963.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction ID: e9654df952adeb3aa66d8b6e3ce7e8e6d98190cb59907de227fb940dcfa07003
                                    • Opcode Fuzzy Hash: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction Fuzzy Hash: AB11C13060664A8FE71ADF30E8606E97761FF8A304F464839E42D871D2CA7EA912C741
                                    Function 00007FFD9B8A0A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1842180963.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction ID: cde241e234edd6c87e5c0862e583704cb17d3b4ea708c9f60c42bc43bdcf5a7f
                                    • Opcode Fuzzy Hash: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction Fuzzy Hash: 2B114830D1A64E8FD751EF6488292FD7AB0FF5A300F4104AAD05DD7192DB38AA04CB51
                                    Function 00007FFD9B8A086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1842180963.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction ID: a5c99de081a32c13dd8050e5313f3a96bc6e77ce2adb982765b1069e9924d021
                                    • Opcode Fuzzy Hash: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction Fuzzy Hash: AAE0923160F2CD4ED72717E408651E8BF60EF47208F0A01F6D48C464E7D95D5658C362

                                    Executed Functions

                                    Function 00007FFD9B880DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.1925155649.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f1094bbb7919f5e22f27dd857727d7ad89f739eaea58b9229284fa53e0f5ea6
                                    • Instruction ID: bb129b825ff9a7b200af69d7b38e8c719cc319236971b2c33ad88e10a6ff147c
                                    • Opcode Fuzzy Hash: 2f1094bbb7919f5e22f27dd857727d7ad89f739eaea58b9229284fa53e0f5ea6
                                    • Instruction Fuzzy Hash: A511E73060A74E8FE719DF30E8506E97761FF8A304F420839D42D871D1CA7EA911C741
                                    Function 00007FFD9B880A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.1925155649.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbea3f04da35fb7983cebefe6b2906b18c5db06db4886a60517cbef86bd22cde
                                    • Instruction ID: 89d61b81fc5a8c017c7e1b0c7d760ba50f78c6f06dd181dd6c5c9cf4a577234c
                                    • Opcode Fuzzy Hash: bbea3f04da35fb7983cebefe6b2906b18c5db06db4886a60517cbef86bd22cde
                                    • Instruction Fuzzy Hash: 9B118E30D1EA4E8FD751EF6488292FD7BB0FF0A300F4105AAD069D7192DB389A04CB41
                                    Function 00007FFD9B88086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.1925155649.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f2de11144e9455b78c2600af80bf1fe87352fb03c49db3a783656f8431bb4a25
                                    • Instruction ID: 6baf500bbe34217d130e1a2a82975eacb22f89da675c764eb28aa4fe49596620
                                    • Opcode Fuzzy Hash: f2de11144e9455b78c2600af80bf1fe87352fb03c49db3a783656f8431bb4a25
                                    • Instruction Fuzzy Hash: F8E09A31A0F6CC4ED72327A818650E83F60EF4B208F0A01F6E4AC860F7D96D5A98C352

                                    Non-executed Functions

                                    Function 00007FFD9B8815FA Relevance: 15.3, Strings: 12, Instructions: 343COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000D.00000002.1925155649.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_13_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ZF$ZF$ZF$ZF$ZF$ZF$ZF$ZF$ZF$ZF$ZF$ZF
                                    • API String ID: 0-2348846619
                                    • Opcode ID: de2dda95afcf14c4e77637d4eb2254d1bad1a02aeb950e98b10eb6f706e78b58
                                    • Instruction ID: c3a6aa9e20168d5fb5b99e53acab440a36d7bda331e219ad5e81395a454b9a63
                                    • Opcode Fuzzy Hash: de2dda95afcf14c4e77637d4eb2254d1bad1a02aeb950e98b10eb6f706e78b58
                                    • Instruction Fuzzy Hash: D4B13C34E1960D8FDB59EB68D8A0AEDBBB2FF49305F5000AEC059E7299CF755980CB41

                                    Executed Functions

                                    Function 00007FFD9B8A0DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2002496414.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction ID: e9654df952adeb3aa66d8b6e3ce7e8e6d98190cb59907de227fb940dcfa07003
                                    • Opcode Fuzzy Hash: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction Fuzzy Hash: AB11C13060664A8FE71ADF30E8606E97761FF8A304F464839E42D871D2CA7EA912C741
                                    Function 00007FFD9B8A0A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2002496414.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction ID: cde241e234edd6c87e5c0862e583704cb17d3b4ea708c9f60c42bc43bdcf5a7f
                                    • Opcode Fuzzy Hash: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction Fuzzy Hash: 2B114830D1A64E8FD751EF6488292FD7AB0FF5A300F4104AAD05DD7192DB38AA04CB51
                                    Function 00007FFD9B8A086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.2002496414.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_14_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction ID: a5c99de081a32c13dd8050e5313f3a96bc6e77ce2adb982765b1069e9924d021
                                    • Opcode Fuzzy Hash: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction Fuzzy Hash: AAE0923160F2CD4ED72717E408651E8BF60EF47208F0A01F6D48C464E7D95D5658C362

                                    Executed Functions

                                    Function 00007FFD9B8A0DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.2083132111.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_15_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction ID: e9654df952adeb3aa66d8b6e3ce7e8e6d98190cb59907de227fb940dcfa07003
                                    • Opcode Fuzzy Hash: a0f7b4426da9e918ccd06d1e3ef54fa419477ddd45ab28b82546adb47740868f
                                    • Instruction Fuzzy Hash: AB11C13060664A8FE71ADF30E8606E97761FF8A304F464839E42D871D2CA7EA912C741
                                    Function 00007FFD9B8A0A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.2083132111.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_15_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction ID: cde241e234edd6c87e5c0862e583704cb17d3b4ea708c9f60c42bc43bdcf5a7f
                                    • Opcode Fuzzy Hash: ea930953807a453755462bdee858f2c374a0ac3d05fe11b73dd54ab31acfe9ea
                                    • Instruction Fuzzy Hash: 2B114830D1A64E8FD751EF6488292FD7AB0FF5A300F4104AAD05DD7192DB38AA04CB51
                                    Function 00007FFD9B8A086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.2083132111.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_15_2_7ffd9b8a0000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction ID: a5c99de081a32c13dd8050e5313f3a96bc6e77ce2adb982765b1069e9924d021
                                    • Opcode Fuzzy Hash: 4f9cfd7a4ac2cbfd39fc769c216311b9213fe889215dac9e3544c218991209f0
                                    • Instruction Fuzzy Hash: AAE0923160F2CD4ED72717E408651E8BF60EF47208F0A01F6D48C464E7D95D5658C362

                                    Executed Functions

                                    Function 00007FFD9B880DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2301498813.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f1094bbb7919f5e22f27dd857727d7ad89f739eaea58b9229284fa53e0f5ea6
                                    • Instruction ID: bb129b825ff9a7b200af69d7b38e8c719cc319236971b2c33ad88e10a6ff147c
                                    • Opcode Fuzzy Hash: 2f1094bbb7919f5e22f27dd857727d7ad89f739eaea58b9229284fa53e0f5ea6
                                    • Instruction Fuzzy Hash: A511E73060A74E8FE719DF30E8506E97761FF8A304F420839D42D871D1CA7EA911C741
                                    Function 00007FFD9B880A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2301498813.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbea3f04da35fb7983cebefe6b2906b18c5db06db4886a60517cbef86bd22cde
                                    • Instruction ID: 89d61b81fc5a8c017c7e1b0c7d760ba50f78c6f06dd181dd6c5c9cf4a577234c
                                    • Opcode Fuzzy Hash: bbea3f04da35fb7983cebefe6b2906b18c5db06db4886a60517cbef86bd22cde
                                    • Instruction Fuzzy Hash: 9B118E30D1EA4E8FD751EF6488292FD7BB0FF0A300F4105AAD069D7192DB389A04CB41
                                    Function 00007FFD9B88086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2301498813.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f2de11144e9455b78c2600af80bf1fe87352fb03c49db3a783656f8431bb4a25
                                    • Instruction ID: 6baf500bbe34217d130e1a2a82975eacb22f89da675c764eb28aa4fe49596620
                                    • Opcode Fuzzy Hash: f2de11144e9455b78c2600af80bf1fe87352fb03c49db3a783656f8431bb4a25
                                    • Instruction Fuzzy Hash: F8E09A31A0F6CC4ED72327A818650E83F60EF4B208F0A01F6E4AC860F7D96D5A98C352

                                    Executed Functions

                                    Function 00007FFD9B880DD9 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000012.00000002.2892948439.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f1094bbb7919f5e22f27dd857727d7ad89f739eaea58b9229284fa53e0f5ea6
                                    • Instruction ID: bb129b825ff9a7b200af69d7b38e8c719cc319236971b2c33ad88e10a6ff147c
                                    • Opcode Fuzzy Hash: 2f1094bbb7919f5e22f27dd857727d7ad89f739eaea58b9229284fa53e0f5ea6
                                    • Instruction Fuzzy Hash: A511E73060A74E8FE719DF30E8506E97761FF8A304F420839D42D871D1CA7EA911C741
                                    Function 00007FFD9B880A29 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000012.00000002.2892948439.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbea3f04da35fb7983cebefe6b2906b18c5db06db4886a60517cbef86bd22cde
                                    • Instruction ID: 89d61b81fc5a8c017c7e1b0c7d760ba50f78c6f06dd181dd6c5c9cf4a577234c
                                    • Opcode Fuzzy Hash: bbea3f04da35fb7983cebefe6b2906b18c5db06db4886a60517cbef86bd22cde
                                    • Instruction Fuzzy Hash: 9B118E30D1EA4E8FD751EF6488292FD7BB0FF0A300F4105AAD069D7192DB389A04CB41
                                    Function 00007FFD9B88086D Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000012.00000002.2892948439.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_7zFM.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f2de11144e9455b78c2600af80bf1fe87352fb03c49db3a783656f8431bb4a25
                                    • Instruction ID: 6baf500bbe34217d130e1a2a82975eacb22f89da675c764eb28aa4fe49596620
                                    • Opcode Fuzzy Hash: f2de11144e9455b78c2600af80bf1fe87352fb03c49db3a783656f8431bb4a25
                                    • Instruction Fuzzy Hash: F8E09A31A0F6CC4ED72327A818650E83F60EF4B208F0A01F6E4AC860F7D96D5A98C352