Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Injector.exe

Overview

General Information

Sample name:Injector.exe
Analysis ID:1489327
MD5:2b943b85bab5335d5ee010d9518bdab3
SHA1:28958a9ebec4d60f941c510a6aec984bab4d4ab1
SHA256:dcf7ef26bf532a4e72f591b739715da80a4309f890a6c5696153824983ba4d8a
Tags:exe
Infos:

Detection

ZTrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected ZTrat
.NET source code contains potential unpacker
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Injector.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\Injector.exe" MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
    • netsh.exe (PID: 7328 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7392 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7484 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Injector" /tr "C:\Users\user\Desktop\Injector.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Injector.exe (PID: 7552 cmdline: C:\Users\user\Desktop\Injector.exe MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 7648 cmdline: C:\Users\user\Desktop\Injector.exe MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\Injector.exe" MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 7860 cmdline: "C:\Users\user\Desktop\Injector.exe" MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 8088 cmdline: "C:\Users\user\Desktop\Injector.exe" MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 8180 cmdline: "C:\Users\user\Desktop\Injector.exe" MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 4348 cmdline: C:\Users\user\Desktop\Injector.exe MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • Injector.exe (PID: 7544 cmdline: C:\Users\user\Desktop\Injector.exe MD5: 2B943B85BAB5335D5EE010D9518BDAB3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Injector.exeJoeSecurity_ZTratYara detected ZTratJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1657608925.000001AD69FE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ZTratYara detected ZTratJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.Injector.exe.1ad69fe0000.0.unpackJoeSecurity_ZTratYara detected ZTratJoe Security

        Sigma Signatures

        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\Injector.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Injector.exe, ProcessId: 7296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Injector
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Injector.exe, ProcessId: 7296, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Injector.lnk

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: Injector.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Recovery.exeAvira: detection malicious, Label: HEUR/AGEN.1326753
        Multi AV Scanner detection for domain / URL
        Source: 2.tcp.eu.ngrok.ioVirustotal: Detection: 11%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Recovery.exeReversingLabs: Detection: 70%
        Source: C:\Users\user\AppData\Roaming\Recovery.exeVirustotal: Detection: 69%Perma Link
        Yara detected ZTrat
        Source: Yara matchFile source: Injector.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.Injector.exe.1ad69fe0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1657608925.000001AD69FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Recovery.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: Injector.exeJoe Sandbox ML: detected
        Source: Injector.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: Injector.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\code\GitHub\NAudio\NAudio\obj\Release\NAudio.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb` source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: PluginLoader.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp, Recovery.exe.0.dr
        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256 source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: c:\RemoteCamera\RemoteCamera\obj\Debug\RemoteCamera.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp

        Networking

        barindex
        Connects to many ports of the same IP (likely port scanning)
        Source: global trafficTCP traffic: 18.197.239.5 ports 0,1,2,3,8,13028
        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 18.197.239.5:13028
        Source: global trafficHTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
        Source: Joe Sandbox ViewIP Address: 18.197.239.5 18.197.239.5
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: unknownDNS query: name: ip-api.com
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: 2.tcp.eu.ngrok.io
        Source: global trafficDNS traffic detected: DNS query: ip-api.com
        Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: Injector.exe, 00000000.00000002.2902947629.000001AD00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
        Source: Injector.exeString found in binary or memory: http://ip-api.com/xml/?fields=country
        Source: Injector.exeString found in binary or memory: http://ip-api.com/xml/?fields=countryCode
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
        Source: Injector.exe, 00000000.00000002.2902947629.000001AD00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0

        E-Banking Fraud

        barindex
        Yara detected ZTrat
        Source: Yara matchFile source: Injector.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.Injector.exe.1ad69fe0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1657608925.000001AD69FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Injector.exeCode function: 0_2_00007FFD9B8BDBA60_2_00007FFD9B8BDBA6
        Source: C:\Users\user\Desktop\Injector.exeCode function: 0_2_00007FFD9B8BE9520_2_00007FFD9B8BE952
        Source: C:\Users\user\Desktop\Injector.exeCode function: 0_2_00007FFD9B8B4ECC0_2_00007FFD9B8B4ECC
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Recovery.exe 50BA6F23ECABABDAB3CE09CD1E93EDCE9539EB82E2D51C9A38D84CBD896EEEF2
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll. vs Injector.exe
        Source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Injector.exe
        Source: Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll. vs Injector.exe
        Source: Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Injector.exe
        Source: Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll. vs Injector.exe
        Source: Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Injector.exe
        Source: Injector.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: Recovery.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: Injector.exe, 3RM-.csCryptographic APIs: 'TransformFinalBlock'
        Source: Injector.exe, 3RM-.csCryptographic APIs: 'TransformFinalBlock'
        Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.csCryptographic APIs: 'CreateDecryptor'
        Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.Injector.exe.1ad6c6903a4.9.raw.unpack, ZT_RAT_Resolver.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.Injector.exe.1ad6c6903a4.9.raw.unpack, ZT_RAT_Resolver.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.Injector.exe.1ad1089771c.4.raw.unpack, ZT_RAT_Resolver.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.Injector.exe.1ad1089771c.4.raw.unpack, ZT_RAT_Resolver.csCryptographic APIs: 'TransformFinalBlock'
        Source: Injector.exe, PBQ-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: Injector.exe, PBQ-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: Injector.exe, 1xM-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: Injector.exe, 1xM-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: Injector.exe, qhM-.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: Injector.exe, qhM-.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/5@3/2
        Source: C:\Users\user\Desktop\Injector.exeFile created: C:\Users\user\AppData\Roaming\Recovery.exeJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMutant created: \Sessions\1\BaseNamedObjects\ZT_RAT_S9mM9E48iX37279VFW392iG471f248tJK0
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
        Source: C:\Users\user\Desktop\Injector.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
        Source: Injector.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: Injector.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\Injector.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Injector.exeString found in binary or memory: <[Runned]> #/start-monitoring!/stop-monitoring!/run-file-memory
        Source: Injector.exeString found in binary or memory: <[Runned]> #/start-monitoring!/stop-monitoring!/run-file-memory
        Source: Injector.exeString found in binary or memory: /add-userTemp
        Source: Injector.exeString found in binary or memory: /add-window
        Source: Injector.exeString found in binary or memory: /stop-recording#/get-audio-reader'/get-clipboard-text#/sended-clipboard!/clipboard-clear
        Source: Injector.exeString found in binary or memory: /stop-recording#/get-audio-reader'/get-clipboard-text#/sended-clipboard!/clipboard-clear
        Source: Injector.exeString found in binary or memory: /stop-wav
        Source: Injector.exeString found in binary or memory: /stop-wav
        Source: Injector.exeString found in binary or memory: /play-wavPlay/run!/enter-directory-/add-filemanager-items
        Source: Injector.exeString found in binary or memory: /stop'/get-remote-desktop
        Source: Injector.exeString found in binary or memory: /stop'/get-remote-desktop
        Source: Injector.exeString found in binary or memory: /add-services
        Source: Injector.exeString found in binary or memory: /stop-service
        Source: Injector.exeString found in binary or memory: /stop-service
        Source: Injector.exeString found in binary or memory: /add-element
        Source: Injector.exeString found in binary or memory: RunLocalMachine%RunOnceCurrentUser'RunOnceLocalMachineFile)/get-startup-manager7Select * from Win32_Process
        Source: Injector.exeString found in binary or memory: /add-processes
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe "C:\Users\user\Desktop\Injector.exe"
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE
        Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE
        Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Injector" /tr "C:\Users\user\Desktop\Injector.exe"
        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe C:\Users\user\Desktop\Injector.exe
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe C:\Users\user\Desktop\Injector.exe
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe "C:\Users\user\Desktop\Injector.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe "C:\Users\user\Desktop\Injector.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe "C:\Users\user\Desktop\Injector.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe "C:\Users\user\Desktop\Injector.exe"
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe C:\Users\user\Desktop\Injector.exe
        Source: unknownProcess created: C:\Users\user\Desktop\Injector.exe C:\Users\user\Desktop\Injector.exe
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLEJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLEJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Injector" /tr "C:\Users\user\Desktop\Injector.exe"Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: Injector.lnk.0.drLNK file: ..\..\..\..\..\..\..\Desktop\Injector.exe
        Source: C:\Users\user\Desktop\Injector.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Injector.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Injector.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Injector.exeStatic file information: File size 2317824 > 1048576
        Source: Injector.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x235600
        Source: Injector.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\code\GitHub\NAudio\NAudio\obj\Release\NAudio.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb` source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: PluginLoader.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp, Recovery.exe.0.dr
        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256 source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: c:\RemoteCamera\RemoteCamera\obj\Debug\RemoteCamera.pdb source: Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: Injector.exe, GTs-.cs.Net Code: HDs_003D System.Reflection.Assembly.Load(byte[])
        Source: Injector.exe, BhQ-.cs.Net Code: CBQ_003D
        Source: Injector.exe, qhM-.cs.Net Code: yBM_003D System.Reflection.Assembly.Load(byte[])
        Source: Injector.exe, qhM-.cs.Net Code: yBM_003D
        Source: Injector.exe, qhM-.cs.Net Code: zRM_003D System.Reflection.Assembly.Load(byte[])
        Source: Injector.exe, qhM-.cs.Net Code: zRM_003D
        Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs.Net Code: NWcBDLfA2xZ1tRDixM System.Reflection.Assembly.Load(byte[])
        Source: C:\Users\user\Desktop\Injector.exeCode function: 0_2_00007FFD9B8B73DB push ecx; retf 0_2_00007FFD9B8B73DC
        Source: Recovery.exe.0.drStatic PE information: section name: .text entropy: 7.971057347412118
        Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.csHigh entropy of concatenated method names: 'Y7u4B2dCuk', 'Da54reTuLO', 'uYj4gKIhw5', 'njP4PBod3Y', 'HdT4QBGQ0b', 'Qyq4AxML9R', 'fhc49cm4i2', 'aOx4MWC618', 'U554ObJImv', 'HPJ40rcGf5'
        Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.csHigh entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'kYd4vQX9Yy', 'tLYhl8JOA1PxR', 'AHW2wpGmj', 'mIwlVflxN', 'O8KfDo4M0', 'XIXqirSmE', 'mmVBvHpT6', 'K39rOyNI0', 'MLogIiUCe'
        Source: C:\Users\user\Desktop\Injector.exeFile created: C:\Users\user\AppData\Roaming\Recovery.exeJump to dropped file

        Boot Survival

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Injector" /tr "C:\Users\user\Desktop\Injector.exe"
        Source: C:\Users\user\Desktop\Injector.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Injector.lnkJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Injector.lnkJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run InjectorJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run InjectorJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run InjectorJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run InjectorJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1AD6A550000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1AD6BF20000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1DC8AB20000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1DCA4560000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 2203EA50000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 22058460000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1670FDB0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 16729660000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1EC647B0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1EC7E1E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1C901400000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 1C91AD00000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 2292FD00000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 22947F30000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 27B146A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 27B2E120000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 29AB89B0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: 29AD23C0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeWindow / User API: threadDelayed 7535Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Recovery.exeJump to dropped file
        Source: C:\Users\user\Desktop\Injector.exe TID: 7604Thread sleep count: 199 > 30Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7300Thread sleep count: 7535 > 30Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7300Thread sleep time: -75350s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7576Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7668Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7756Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7880Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 8112Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 2812Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 4544Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exe TID: 7756Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Injector.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: netsh.exe, 00000003.00000003.1668974098.000001C9223D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
        Source: Injector.exe, 00000000.00000002.2916178177.000001AD6C980000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: netsh.exe, 00000001.00000003.1666851346.000001ACE0AB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
        Source: C:\Users\user\Desktop\Injector.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Injector" /tr "C:\Users\user\Desktop\Injector.exe"Jump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeQueries volume information: C:\Users\user\Desktop\Injector.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Injector.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\Injector.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE
        Source: Injector.exe, 00000000.00000002.2916178177.000001AD6CA3D000.00000004.00000020.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2916178177.000001AD6C9E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Users\user\Desktop\Injector.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected ZTrat
        Source: Yara matchFile source: Injector.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.Injector.exe.1ad69fe0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1657608925.000001AD69FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected ZTrat
        Source: Yara matchFile source: Injector.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.Injector.exe.1ad69fe0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.1657608925.000001AD69FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        Scheduled Task/Job        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping121
        Security Software Discovery        		Remote Services11
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		21
        Registry Run Keys / Startup Folder        		1
        Scheduled Task/Job        		21
        Disable or Modify Tools        		LSASS Memory31
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Scheduled Task/Job        		1
        DLL Side-Loading        		21
        Registry Run Keys / Startup Folder        		31
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Application Window Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		11
        Process Injection        		NTDS1
        System Network Configuration Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeylogging2
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
        Obfuscated Files or Information        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Software Packing        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489327 Sample: Injector.exe Startdate: 07/08/2024 Architecture: WINDOWS Score: 100 35 2.tcp.eu.ngrok.io 2->35 37 ip-api.com 2->37 39 198.187.3.20.in-addr.arpa 2->39 45 Multi AV Scanner detection for domain / URL 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 7 other signatures 2->51 8 Injector.exe 16 5 2->8         started        13 Injector.exe 1 2->13         started        15 Injector.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 41 2.tcp.eu.ngrok.io 18.197.239.5, 13028, 49730 AMAZON-02US United States 8->41 43 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 8->43 31 C:\Users\user\AppData\Roaming\Recovery.exe, PE32 8->31 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 8->53 55 Uses netsh to modify the Windows network and firewall settings 8->55 57 Modifies the windows firewall 8->57 19 netsh.exe 2 8->19         started        21 netsh.exe 2 8->21         started        23 schtasks.exe 1 8->23         started        33 C:\Users\user\AppData\...\Injector.exe.log, CSV 13->33 dropped file6 signatures7 process8 process9 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Injector.exe100%AviraTR/Dropper.Gen
        Injector.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Recovery.exe100%AviraHEUR/AGEN.1326753
        C:\Users\user\AppData\Roaming\Recovery.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Recovery.exe71%ReversingLabsWin32.Trojan.Jalapeno
        C:\Users\user\AppData\Roaming\Recovery.exe69%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        2.tcp.eu.ngrok.io12%VirustotalBrowse
        ip-api.com0%VirustotalBrowse
        198.187.3.20.in-addr.arpa1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://www.symauth.com/cps0(0%URL Reputationsafe
        http://www.symauth.com/rpa000%URL Reputationsafe
        http://ocsp.thawte.com00%URL Reputationsafe
        http://ip-api.com0%URL Reputationsafe
        http://ip-api.com/xml/?fields=countryCode0%Avira URL Cloudsafe
        http://ip-api.com/xml/?fields=countryCode,query0%Avira URL Cloudsafe
        http://ip-api.com/xml/?fields=country0%Avira URL Cloudsafe
        http://ip-api.com/xml/?fields=countryCode,query0%VirustotalBrowse
        http://ip-api.com/xml/?fields=country0%VirustotalBrowse
        http://ip-api.com/xml/?fields=countryCode0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        2.tcp.eu.ngrok.io
        		18.197.239.5
        		truetrueunknown
        ip-api.com
        		208.95.112.1
        		truefalseunknown
        198.187.3.20.in-addr.arpa
        		unknown
        		unknownfalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ip-api.com/xml/?fields=countryCode,queryfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://crl.thawte.com/ThawteTimestampingCA.crl0Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ip-api.com/xml/?fields=countryCodeInjector.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInjector.exe, 00000000.00000002.2902947629.000001AD00001000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.symauth.com/cps0(Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.symauth.com/rpa00Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ip-api.com/xml/?fields=countryInjector.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://ocsp.thawte.com0Injector.exe, 00000000.00000002.2914097829.000001AD6C690000.00000004.08000000.00040000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10001000.00000004.00000800.00020000.00000000.sdmp, Injector.exe, 00000000.00000002.2905888401.000001AD10897000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://ip-api.comInjector.exe, 00000000.00000002.2902947629.000001AD00001000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        208.95.112.1
        		ip-api.comUnited States
        		53334TUT-ASUSfalse
        18.197.239.5
        		2.tcp.eu.ngrok.ioUnited States
        		16509AMAZON-02UStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1489327
        Start date and time:2024-08-07 10:07:08 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 7m 16s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:19
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Injector.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@18/5@3/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 100
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target Injector.exe, PID 4348 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 7296 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 7544 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 7552 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 7648 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 7732 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 7860 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 8088 because it is empty
        • Execution Graph export aborted for target Injector.exe, PID 8180 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        04:08:49API Interceptor4545x Sleep call for process: Injector.exe modified
        09:07:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Injector "C:\Users\user\Desktop\Injector.exe"
        09:07:59Task SchedulerRun new task: Injector path: C:\Users\user\Desktop\Injector.exe
        09:08:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Injector "C:\Users\user\Desktop\Injector.exe"
        09:08:15AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Injector "C:\Users\user\Desktop\Injector.exe"
        09:08:23AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Injector.lnk

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        208.95.112.1AVISO DE COBRO DHL-160663957.PDF.exeGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        cotizaci#U00f3n-9568779.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        PO_2332756454346576876.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        PO_756454346576876.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        Upgraded_Detail_PayslipCC886DC7C7E1_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
        • ip-api.com/json/?fields=status,country,regionName,city,query
        ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        sGQvbGSADU.exeGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        VLp3BJZN82.exeGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        OC_54563423465768.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        oc---978656543465768587.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • ip-api.com/line/?fields=hosting
        18.197.239.5P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
        • 2.tcp.eu.ngrok.io:17685/

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        2.tcp.eu.ngrok.io7zFM.exeGet hashmaliciousZTratBrowse
        • 3.126.37.18
        Game Laucher.exeGet hashmaliciousNjratBrowse
        • 18.192.93.86
        10.exeGet hashmaliciousUnknownBrowse
        • 18.192.93.86
        En3e396wX1.exeGet hashmaliciousNjratBrowse
        • 18.197.239.5
        ZxocxU01PB.exeGet hashmaliciousNjratBrowse
        • 18.197.239.5
        4xKDL5YCfQ.exeGet hashmaliciousNjratBrowse
        • 18.156.13.209
        R3ov8eFFFP.exeGet hashmaliciousNjratBrowse
        • 3.127.138.57
        Ve0c8i5So2.exeGet hashmaliciousNjratBrowse
        • 18.157.68.73
        LMQV4V1d3E.exeGet hashmaliciousNjratBrowse
        • 18.192.93.86
        b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
        • 3.127.138.57
        ip-api.comAVISO DE COBRO DHL-160663957.PDF.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        cotizaci#U00f3n-9568779.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        PO_2332756454346576876.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        PO_756454346576876.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        Upgraded_Detail_PayslipCC886DC7C7E1_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
        • 208.95.112.1
        ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        sGQvbGSADU.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        VLp3BJZN82.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        OC_54563423465768.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        oc---978656543465768587.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        AMAZON-02US709282738372873.exeGet hashmaliciousFormBookBrowse
        • 35.154.47.49
        D38UmyxKgR.exeGet hashmaliciousUnknownBrowse
        • 52.222.236.48
        D38UmyxKgR.exeGet hashmaliciousUnknownBrowse
        • 52.222.236.48
        arm7.elfGet hashmaliciousUnknownBrowse
        • 18.133.157.41
        x86.elfGet hashmaliciousUnknownBrowse
        • 13.212.201.192
        ORDER8834759934PO.vbsGet hashmaliciousAveMariaBrowse
        • 52.216.177.131
        https://www.sony.com/electronics/support/reader-digital-book-dpt-series/dpt-rp1?cpint=rviGet hashmaliciousUnknownBrowse
        • 13.33.187.32
        http://files.fm/u/stdpwqvw9sGet hashmaliciousUnknownBrowse
        • 3.126.225.19
        http://Discovery-center.cloud.sapGet hashmaliciousUnknownBrowse
        • 13.225.78.35
        https://email.tssolution.ru/click.htmGet hashmaliciousUnknownBrowse
        • 50.112.70.90
        TUT-ASUSAVISO DE COBRO DHL-160663957.PDF.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        cotizaci#U00f3n-9568779.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        PO_2332756454346576876.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        PO_756454346576876.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        Upgraded_Detail_PayslipCC886DC7C7E1_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
        • 208.95.112.1
        ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        sGQvbGSADU.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        VLp3BJZN82.exeGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        OC_54563423465768.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1
        oc---978656543465768587.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
        • 208.95.112.1

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Roaming\Recovery.exeOneDriveSetup.exeGet hashmaliciousZTratBrowse
          7zFM.exeGet hashmaliciousZTratBrowse
            Injector.exeGet hashmaliciousZTratBrowse
              Windows21.exeGet hashmaliciousZTratBrowse
                10.exeGet hashmaliciousUnknownBrowse

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Injector.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\Injector.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):1088
                  Entropy (8bit):5.389928136181357
                  Encrypted:false
                  SSDEEP:24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KD:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0K
                  MD5:7F03B15120D277413D7C08047184C8F5
                  SHA1:0A6EEC1B9E6BB8FF846D21F7575E78B29C42A00F
                  SHA-256:18E01DE8BB5C3C111EA89C01A4D28F1834BB02E26C0ECD86D8CCAB3835C79B2C
                  SHA-512:8995C0BEA34B69FFEEE03FBB332223AB95502938A4789E64CBE8329F596E43C74676FF4550AD4F8506AAF6B955E6F8A5BDEAF1A5B6D71275D265DCE2D5478754
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Injector.lnk

                  Download File
                  Process:C:\Users\user\Desktop\Injector.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 11:02:30 2023, mtime=Wed Aug 7 07:07:59 2024, atime=Wed Aug 7 07:07:56 2024, length=2317824, window=hide
                  Category:dropped
                  Size (bytes):595
                  Entropy (8bit):5.109737782876251
                  Encrypted:false
                  SSDEEP:12:8ZUlCvzYNbR1cjqI2lGjAEpm07boPClJXaqnBmV:8Z83n1Aqj6AEA0dJXaqnBm
                  MD5:3ABFD591FC662E698D23B7F5EFD4007C
                  SHA1:FBFB56662EA60073C3D5482416A0FB9141AD432C
                  SHA-256:67BF4E9DB1B5EA71887F395B9FC5D5A74EC88C8A4D8CF45F6A0DF7DB07FF500D
                  SHA-512:9FFE17F154DDBDD2CCE2CDE4984F608CA4DBEA0B1BC180374A666E22814F3CBAD08BEF89313108CC3FB12B31DAC21CDD870092AFBD90B0EF6995BC67F909E81F
                  Malicious:false
                  Reputation:low
                  Preview:L..................F.... ..................]......^#..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......-/.v.....z...............f.2..^#..Y.@ .Injector.exe..J......DWP`.Y.@..............................I.n.j.e.c.t.o.r...e.x.e.......R...............-.......Q..............0.....C:\Users\user\Desktop\Injector.exe..).....\.....\.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.n.j.e.c.t.o.r...e.x.e.`.......X.......760639...........hT..CrF.f4... .*~T..b...,.......hT..CrF.f4... .*~T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                  C:\Users\user\AppData\Roaming\Recovery.exe

                  Download File
                  Process:C:\Users\user\Desktop\Injector.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):1332736
                  Entropy (8bit):7.966916525535396
                  Encrypted:false
                  SSDEEP:24576:PRQmcVNit/+nmGSbhn1s6zUwY4x2FiZlD+DnX7:PGvbmGSbh1s69YbFifyj
                  MD5:134400FB7EFE11BFC5A01108FCEDDE82
                  SHA1:60ADE212C51804B3E1B762EC589D23B3639F5BAA
                  SHA-256:50BA6F23ECABABDAB3CE09CD1E93EDCE9539EB82E2D51C9A38D84CBD896EEEF2
                  SHA-512:7699926C51375E62AEBF18B5B4A8D6F9F302DA3D218EB328872D7E89899CA7ECA86A932AD44B285412BE0352FFA24ED216E72224015FA6D4BCE4C5BFDEC9BCA6
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 71%
                  • Antivirus: Virustotal, Detection: 69%, Browse
                  Joe Sandbox View:
                  • Filename: OneDriveSetup.exe, Detection: malicious, Browse
                  • Filename: 7zFM.exe, Detection: malicious, Browse
                  • Filename: Injector.exe, Detection: malicious, Browse
                  • Filename: Windows21.exe, Detection: malicious, Browse
                  • Filename: 10.exe, Detection: malicious, Browse
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k~f.................J...........h... ........@.. .......................................................................h..K.......D...........................Rh............................................... ............... ..H............text....H... ...J.................. ..`.sdata...............N..............@....rsrc...D............P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  \Device\ConDrv

                  Download File
                  Process:C:\Windows\System32\netsh.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):118
                  Entropy (8bit):4.756270590652781
                  Encrypted:false
                  SSDEEP:3:SKpJOLz3WF+RUepJVcFLzBVZEIIt+WfWs7AGsbAPQV9n:wL73CepJK3jZhIwvs7AAPG9
                  MD5:1EAC4A8DC9D9054F3944E624B5BF947E
                  SHA1:37AB0F5AB90149855DCAAFBC27F5AB8A87DF130B
                  SHA-256:EF09D999DBCD034985FBBA5ABC5C7AB75CD38AEA7B9DE04F50532B8BE44DA092
                  SHA-512:6970697F00B055CAB0A01E068E2C2B2B52F959B3C41FF6F19DE4C6D202FE1A6906E5984D8E6411E99042E38B4540A1BE94D598528B151902A33FF1A2A1FAD0FF
                  Malicious:false
                  Preview:The following command was not found: firewall add allowedprogramC:\Users\user\Desktop\Injector.exe Injector ENABLE...

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.985350435552791
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:Injector.exe
                  File size:2'317'824 bytes
                  MD5:2b943b85bab5335d5ee010d9518bdab3
                  SHA1:28958a9ebec4d60f941c510a6aec984bab4d4ab1
                  SHA256:dcf7ef26bf532a4e72f591b739715da80a4309f890a6c5696153824983ba4d8a
                  SHA512:14cba2a64fec715271b690f52acc2a092cf6e0739401068eaf19a67c709e1f4dde4eac33fdba697189a3c326b8b8a005fb18a25aee19fad3bdeae926de9231af
                  SSDEEP:49152:qUSyGPmilGFx/k7Sg0ahADWN+X9/mjCVMye/mhoDz6q4Hhlk6fCrvi+yhyp5FP0j:FSy6LgFx/ySZD19Wye/mhoX6q4BzfCr6
                  TLSH:BDB5338C73E8496AD36E0ABD853E605153F4BA335E43EB4D0EF291D72E337920664693
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.f.................V#..........t#.. ........@.. ........................#...........`................................

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x6374ae
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66B32ABA [Wed Aug 7 08:05:14 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2374540x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2380000x400.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x23a0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x2354b40x235600243c5a6a2e5ea640510b9b4d37d0e76dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x2380000x4000x400210d95950cc32d2dfa33a27b08f0e61aFalse0.3017578125data3.5235960918606954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x23a0000xc0x2001e268bb3d4bdca46d000922cc49e33cdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_MANIFEST0x2380580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 7, 2024 10:08:01.042741060 CEST4973013028192.168.2.418.197.239.5
                  Aug 7, 2024 10:08:01.047637939 CEST130284973018.197.239.5192.168.2.4
                  Aug 7, 2024 10:08:01.047724009 CEST4973013028192.168.2.418.197.239.5
                  Aug 7, 2024 10:08:01.120193005 CEST4973180192.168.2.4208.95.112.1
                  Aug 7, 2024 10:08:01.125119925 CEST8049731208.95.112.1192.168.2.4
                  Aug 7, 2024 10:08:01.125217915 CEST4973180192.168.2.4208.95.112.1
                  Aug 7, 2024 10:08:01.125483990 CEST4973180192.168.2.4208.95.112.1
                  Aug 7, 2024 10:08:01.130251884 CEST8049731208.95.112.1192.168.2.4
                  Aug 7, 2024 10:08:01.752927065 CEST8049731208.95.112.1192.168.2.4
                  Aug 7, 2024 10:08:01.793029070 CEST4973180192.168.2.4208.95.112.1
                  Aug 7, 2024 10:08:01.876827002 CEST4973013028192.168.2.418.197.239.5
                  Aug 7, 2024 10:08:01.883392096 CEST130284973018.197.239.5192.168.2.4
                  Aug 7, 2024 10:09:04.223845959 CEST8049731208.95.112.1192.168.2.4
                  Aug 7, 2024 10:09:04.224069118 CEST4973180192.168.2.4208.95.112.1
                  Aug 7, 2024 10:09:41.767317057 CEST4973180192.168.2.4208.95.112.1
                  Aug 7, 2024 10:09:41.772268057 CEST8049731208.95.112.1192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 7, 2024 10:08:01.025985956 CEST6102453192.168.2.41.1.1.1
                  Aug 7, 2024 10:08:01.036825895 CEST53610241.1.1.1192.168.2.4
                  Aug 7, 2024 10:08:01.109204054 CEST6366853192.168.2.41.1.1.1
                  Aug 7, 2024 10:08:01.116338015 CEST53636681.1.1.1192.168.2.4
                  Aug 7, 2024 10:08:32.535572052 CEST5354285162.159.36.2192.168.2.4
                  Aug 7, 2024 10:08:33.006087065 CEST5550453192.168.2.41.1.1.1
                  Aug 7, 2024 10:08:33.014038086 CEST53555041.1.1.1192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Aug 7, 2024 10:08:01.025985956 CEST192.168.2.41.1.1.10xdfecStandard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                  Aug 7, 2024 10:08:01.109204054 CEST192.168.2.41.1.1.10xc5c4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                  Aug 7, 2024 10:08:33.006087065 CEST192.168.2.41.1.1.10xd17aStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Aug 7, 2024 10:08:01.036825895 CEST1.1.1.1192.168.2.40xdfecNo error (0)2.tcp.eu.ngrok.io18.197.239.5A (IP address)IN (0x0001)false
                  Aug 7, 2024 10:08:01.116338015 CEST1.1.1.1192.168.2.40xc5c4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                  Aug 7, 2024 10:08:33.014038086 CEST1.1.1.1192.168.2.40xd17aName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • ip-api.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449731208.95.112.1807296C:\Users\user\Desktop\Injector.exe
                  TimestampBytes transferredDirectionData
                  Aug 7, 2024 10:08:01.125483990 CEST89OUTGET /xml/?fields=countryCode,query HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Aug 7, 2024 10:08:01.752927065 CEST292INHTTP/1.1 200 OK
                  Date: Wed, 07 Aug 2024 08:08:01 GMT
                  Content-Type: application/xml; charset=utf-8
                  Content-Length: 116
                  Access-Control-Allow-Origin: *
                  X-Ttl: 60
                  X-Rl: 44
                  Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 71 75 65 72 79 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 71 75 65 72 79 3e 0a 3c 2f 71 75 65 72 79 3e
                  Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <countryCode>US</countryCode> <query>8.46.123.33</query></query>


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:07:57
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\Injector.exe"
                  Imagebase:0x1ad69fe0000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_ZTrat, Description: Yara detected ZTrat, Source: 00000000.00000000.1657608925.000001AD69FE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:1
                  Start time:04:07:57
                  Start date:07/08/2024
                  Path:C:\Windows\System32\netsh.exe
                  Wow64 process (32bit):false
                  Commandline:netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE
                  Imagebase:0x7ff7b8da0000
                  File size:96'768 bytes
                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:2
                  Start time:04:07:57
                  Start date:07/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:04:07:58
                  Start date:07/08/2024
                  Path:C:\Windows\System32\netsh.exe
                  Wow64 process (32bit):false
                  Commandline:netsh firewall add allowedprogram"C:\Users\user\Desktop\Injector.exe" "Injector" ENABLE
                  Imagebase:0x7ff7b8da0000
                  File size:96'768 bytes
                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:4
                  Start time:04:07:58
                  Start date:07/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:04:07:58
                  Start date:07/08/2024
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Injector" /tr "C:\Users\user\Desktop\Injector.exe"
                  Imagebase:0x7ff76f990000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:04:07:58
                  Start date:07/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:04:07:59
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\Desktop\Injector.exe
                  Imagebase:0x1dc8a5c0000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:8
                  Start time:04:08:01
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\Injector.exe
                  Imagebase:0x5a0000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:9
                  Start time:04:08:07
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\Injector.exe"
                  Imagebase:0x1670f840000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:11
                  Start time:04:08:15
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\Injector.exe"
                  Imagebase:0x1ec64240000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:14
                  Start time:04:08:23
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\Injector.exe"
                  Imagebase:0x1c900e90000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:15
                  Start time:04:08:31
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\Injector.exe"
                  Imagebase:0x2292dfe0000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:16
                  Start time:04:09:00
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\Desktop\Injector.exe
                  Imagebase:0x27b14130000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:18
                  Start time:04:10:00
                  Start date:07/08/2024
                  Path:C:\Users\user\Desktop\Injector.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\Desktop\Injector.exe
                  Imagebase:0x29ab8450000
                  File size:2'317'824 bytes
                  MD5 hash:2B943B85BAB5335D5EE010D9518BDAB3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFD9B8B4ECC Relevance: 2.2, Instructions: 2186COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cbf6b4ef076b5e0f2f15624c4a6bc33df4c02fdac2b0eda59a8eb1991d328063
                    • Instruction ID: f88615e588d5e051d92184f1831e870665c19b3ec34e7c8384205c133a0b26f6
                    • Opcode Fuzzy Hash: cbf6b4ef076b5e0f2f15624c4a6bc33df4c02fdac2b0eda59a8eb1991d328063
                    • Instruction Fuzzy Hash: 8A036134A0961D8FEB65EB64C4A5BE8B7F1FF49304F5441E9D00DD72A6CA39AA81CF40
                    Function 00007FFD9B8BDBA6 Relevance: .5, Instructions: 476COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eaeb4571b8c96e633b0ad0303023766a4e58eb3ba542d50854d3094f1c98f0f6
                    • Instruction ID: 2b0f77224c4a1263505fd71471c52ddecee3abf77cb55b2206f92f6586decbbc
                    • Opcode Fuzzy Hash: eaeb4571b8c96e633b0ad0303023766a4e58eb3ba542d50854d3094f1c98f0f6
                    • Instruction Fuzzy Hash: B7F1A83060DA8D8FEBA8DF68C8557E937E1FF58310F04426EE85DC7295DB3499458B82
                    Function 00007FFD9B8BE952 Relevance: .5, Instructions: 460COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b55d94f495ae4b49a91de1757ad0ad2f691058f958050cc94aa621bed2aaa8d5
                    • Instruction ID: de40bd29c73fc86079ae5b9fa6ae9e1681d99735d975e4a879d889d7a4f55c6f
                    • Opcode Fuzzy Hash: b55d94f495ae4b49a91de1757ad0ad2f691058f958050cc94aa621bed2aaa8d5
                    • Instruction Fuzzy Hash: E4E1D430A08A4D8FEBA8DF28C8657E937E1FF58311F04466ED84DC76A5CE74A9458BC1
                    Function 00007FFD9B8BF0B0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID: 3K_H
                    • API String ID: 0-4197540427
                    • Opcode ID: f10dadf0fc0ab2d9d0ead6dda3cae4486b500c52b62b85b1fed50e2110ea1dd2
                    • Instruction ID: a9186f19bad55b4a573be01136b54cf89966c96e718f32e0de91ac30c12e873e
                    • Opcode Fuzzy Hash: f10dadf0fc0ab2d9d0ead6dda3cae4486b500c52b62b85b1fed50e2110ea1dd2
                    • Instruction Fuzzy Hash: D8313E30A0995D8FDF95DFACD454AA97BF0FF69310F050166E008D72A5CA70E881CB80
                    Function 00007FFD9B8B120A Relevance: .4, Instructions: 425COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9d80abf879e9e6642890cad0d281fba345c752ca5bdc4eb0cfaea2e22e8c950c
                    • Instruction ID: 35016e28aafdbb4c488545f7ea6225ebb6b58c3be8df32eb33c73f4df2f8e63d
                    • Opcode Fuzzy Hash: 9d80abf879e9e6642890cad0d281fba345c752ca5bdc4eb0cfaea2e22e8c950c
                    • Instruction Fuzzy Hash: 46F15C70A09A5E8FDB99EF68C864BE9B7F0FF59300F4041E9D419D7296CA389981CF41
                    Function 00007FFD9B8B2F89 Relevance: .3, Instructions: 300COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c00ba556edc0c69fbbf8a6556d8a933e36080bc1f8715ec975fcbe98cb9051f9
                    • Instruction ID: 27168c96c6e80614e9f1b36e6bf59a986c1c0ab4cba3c539d77784d8581d3cc6
                    • Opcode Fuzzy Hash: c00ba556edc0c69fbbf8a6556d8a933e36080bc1f8715ec975fcbe98cb9051f9
                    • Instruction Fuzzy Hash: 76A1C771A0995C8FDF94EFACD899E99BBF1FF69301F0501A6E00DD7265CA34A981CB40
                    Function 00007FFD9B8B0598 Relevance: .3, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: caef62e80facd933a8362c363379d47bd6df7454db769dede81356bd4f7bf789
                    • Instruction ID: 9fe1981f844aa37a808fdcf5f0b0a8a08e18f65d9a8b875fd602ff2e3731acec
                    • Opcode Fuzzy Hash: caef62e80facd933a8362c363379d47bd6df7454db769dede81356bd4f7bf789
                    • Instruction Fuzzy Hash: 8D81C770A08A1D8FDF94EF68D895BADB7F1FF59305F1001AAD00DE7296DB34A9818B41
                    Function 00007FFD9B8B2C4D Relevance: .2, Instructions: 245COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e6dc94da71dd3694999978dca40234836160c41a4ee83cbb14a963ef71fcf4ba
                    • Instruction ID: 66965fdfe76861650c047d52704d9551e95c8cee9a367145fba0795d3be02b4a
                    • Opcode Fuzzy Hash: e6dc94da71dd3694999978dca40234836160c41a4ee83cbb14a963ef71fcf4ba
                    • Instruction Fuzzy Hash: 6E81C470A09A5D8FDB95EFB8C4656AD7BF0FF59300F4441BAD00DD72A6CA386885CB41
                    Function 00007FFD9B8B0DDD Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a2a517f67f7ec29a2fb9b814b98756226d1742f5945bdc4d0d9cb552063cb933
                    • Instruction ID: bae653903b21149c5e259a99e37edcf658ce251f1e8055f32eff6910c22ffa8f
                    • Opcode Fuzzy Hash: a2a517f67f7ec29a2fb9b814b98756226d1742f5945bdc4d0d9cb552063cb933
                    • Instruction Fuzzy Hash: 7981CA70A08A5D8FDF94EF68C855BACBBF1FF59301F1401AAD00DD7296CA74A881CB41
                    Function 00007FFD9B8B3A40 Relevance: .2, Instructions: 235COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 18862514be829e7ad7cce724792371063bf52841054c99f2539759ff246741d0
                    • Instruction ID: ee7e4eb3f90101ebfe337e9c1a8126c868c1d2fb88b1494bb22c1fe4e0c2afa0
                    • Opcode Fuzzy Hash: 18862514be829e7ad7cce724792371063bf52841054c99f2539759ff246741d0
                    • Instruction Fuzzy Hash: 16919270A1891D8FDBA5EF28C895BE9B7B1FB59301F5041E9D40DE3295DA34AE81CF40
                    Function 00007FFD9B8B0E00 Relevance: .2, Instructions: 226COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bbf6c76604b4d5092d548170a833c06494c07c34cace6adb357f1d895bce1f73
                    • Instruction ID: 9bbad68440e8dc859f7a57f353948c199a3cf77b1272c7817e3e631503c6053a
                    • Opcode Fuzzy Hash: bbf6c76604b4d5092d548170a833c06494c07c34cace6adb357f1d895bce1f73
                    • Instruction Fuzzy Hash: F371A570A08A1D8FDF94EF68C895BADB7F1FB69301F1001A9E00DE7295DB74A881CB41
                    Function 00007FFD9B8BB49C Relevance: .2, Instructions: 198COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 63b477b6ef4721414146c15bfc0143288ebe56b81b87649a02cf643a6e7c3155
                    • Instruction ID: baf57e08bed3f4663bbe40b15e2c191796809816dc949b8d53f2216d72608265
                    • Opcode Fuzzy Hash: 63b477b6ef4721414146c15bfc0143288ebe56b81b87649a02cf643a6e7c3155
                    • Instruction Fuzzy Hash: 0F518431908A1C8FDB58DB68D855BE9BBF1FF59310F1082AAD40DD3292DE34A9858F81
                    Function 00007FFD9B8B372D Relevance: .2, Instructions: 192COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c15f8b518d237144a6d6d6a9dba69008de8d8e02190baf1f994e0c994e6c818e
                    • Instruction ID: d70df1e9d1ee73e8b8e0c371e86f89ca81a05a2fab713096999ac5cc40a8e695
                    • Opcode Fuzzy Hash: c15f8b518d237144a6d6d6a9dba69008de8d8e02190baf1f994e0c994e6c818e
                    • Instruction Fuzzy Hash: D4513171A09A5D8FDB94DF68C894AEDB7B1FF58301F1001AAD41DD72A6CB34A985CF80
                    Function 00007FFD9B8BF262 Relevance: .2, Instructions: 192COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7974b7829b4f46b8aec03acc95872fdaa55cbc2fd143c142a60d835894017a3b
                    • Instruction ID: 9170a97ce7772a2fbebbb95eacb0a0c6a97577657338d119187acb644fb7263b
                    • Opcode Fuzzy Hash: 7974b7829b4f46b8aec03acc95872fdaa55cbc2fd143c142a60d835894017a3b
                    • Instruction Fuzzy Hash: 45618270A08A5D8FDF94EF68C895AADBBF1FF69305F5000A9D00DE7256CA30A881CB41
                    Function 00007FFD9B8B25E5 Relevance: .2, Instructions: 167COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b29530cf0b840e47ac6a7c06d99a410a33036bd56a49d485dc89926625b8326f
                    • Instruction ID: 745ae4aeb71bf3f011f35451600d512c58b5368282a093feef44435c0fb1dcfe
                    • Opcode Fuzzy Hash: b29530cf0b840e47ac6a7c06d99a410a33036bd56a49d485dc89926625b8326f
                    • Instruction Fuzzy Hash: 0651B03198E2DA4FD7179BB0AC264E97FA4EF07325B1A01A7D048DB0A3C61C5657C791
                    Function 00007FFD9B8B204E Relevance: .2, Instructions: 165COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 637a0003dffcc29154a5c659eb78bf981f01692d8ca8187d70c9dbe2215b44c6
                    • Instruction ID: d77b0d886e7a223d3f2152532401f6a78fc11d8d5eec7d051eb193a5f346abed
                    • Opcode Fuzzy Hash: 637a0003dffcc29154a5c659eb78bf981f01692d8ca8187d70c9dbe2215b44c6
                    • Instruction Fuzzy Hash: 4361EC70A09A5D8FDB98DB18C899BA8B7F1FF58301F0046EE900DE72A5CA756D85CF41
                    Function 00007FFD9B8BA421 Relevance: .2, Instructions: 154COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7fc5580328a3083e284a96fb195d6a644c1a9cfafb21d8f34b4e275b4be5c888
                    • Instruction ID: e728e66adb21c8124dfe07e8fc49c31d98ddc7ca3179261d320e5dd90ffc3be1
                    • Opcode Fuzzy Hash: 7fc5580328a3083e284a96fb195d6a644c1a9cfafb21d8f34b4e275b4be5c888
                    • Instruction Fuzzy Hash: DA51F570E0961D8FDB98DFA8C454AADBBB1FF49301F5050B9D00EA7295CA399A81CF40
                    Function 00007FFD9B8B1831 Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d901615d5904c56a84340a07d9a234de7acba12ce0f5500683449c89a14a651f
                    • Instruction ID: c46611b8be1b0466eb465f6cae3a8111c0565d79d3f9b322ba48acd9207b7d66
                    • Opcode Fuzzy Hash: d901615d5904c56a84340a07d9a234de7acba12ce0f5500683449c89a14a651f
                    • Instruction Fuzzy Hash: 71415C7091A7998FD7A6EB7488656A8BBF4EF4A301F5040FED00DD71A2DA795A80CF01
                    Function 00007FFD9B8B1C12 Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4e37cfc40fafba76036b00b3ce9c7a986ee86fa396c0895c1f62b3a70607b81f
                    • Instruction ID: 991f7466401278145aeef490bab60bff9dca269afd9d4e8551014bc5034c029b
                    • Opcode Fuzzy Hash: 4e37cfc40fafba76036b00b3ce9c7a986ee86fa396c0895c1f62b3a70607b81f
                    • Instruction Fuzzy Hash: 32416D70A0A65A8FDB59DFA4C8647EDB7B1FF49301F0441BED40AA72A2CB785981CB11
                    Function 00007FFD9B8B1085 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4867daaee65fa3276d1bd48055198e7545a97781f88925b4afa85257c6004c33
                    • Instruction ID: f8464de9285b1cff5333c755f759b99ca7a967d3194203241e688b01d5252ba7
                    • Opcode Fuzzy Hash: 4867daaee65fa3276d1bd48055198e7545a97781f88925b4afa85257c6004c33
                    • Instruction Fuzzy Hash: 5E310631E1E29A4FDB11ABB094216FA7BB1EF06314F0500BAE059D70D3CE6D9656CB91
                    Function 00007FFD9B8B3211 Relevance: .1, Instructions: 83COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d384a27ca7fec51fcc3dc301fde51ce9611bab3090fa0329ad2f5ebbc8278873
                    • Instruction ID: 8c98669bd4ee905994bc0ffe33da03c7ba51613f9697f04cefed5d623bb4e6ec
                    • Opcode Fuzzy Hash: d384a27ca7fec51fcc3dc301fde51ce9611bab3090fa0329ad2f5ebbc8278873
                    • Instruction Fuzzy Hash: 7D215C30E0DA5D8FDF51DBA8C8646EDBBF1FF5A301F05006AE049E72A2CA386945CB51
                    Function 00007FFD9B8B395B Relevance: .1, Instructions: 79COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 75ecf2b47ae27f9c2cb755beb3078e5b8c6fe1d1d8a335c8041a439dc5ef675e
                    • Instruction ID: 250e32156fe4957c8becdf1b0f1faad2e08f518214cca46f62b03d15eaa3c43f
                    • Opcode Fuzzy Hash: 75ecf2b47ae27f9c2cb755beb3078e5b8c6fe1d1d8a335c8041a439dc5ef675e
                    • Instruction Fuzzy Hash: FD211071E1A95D8FEBA4DB688855BA8B7B1FF58200F0042EAD00DE3261DA3469858F40
                    Function 00007FFD9B8B27AE Relevance: .1, Instructions: 78COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 40c0764eea93a7c6fe45771130a890028abf78026c2f7f89e747ba6d2c6c4bb4
                    • Instruction ID: aacf981e8728783b11b0bef30c4f9cbb0ed9be9d5bc23a408417e4d75562c7de
                    • Opcode Fuzzy Hash: 40c0764eea93a7c6fe45771130a890028abf78026c2f7f89e747ba6d2c6c4bb4
                    • Instruction Fuzzy Hash: E421A570A0994C8FDB91EBACD455D9CBBF0FF99321B4002BAE009D7165DA386881CB41
                    Function 00007FFD9B8B0580 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6a9bbe35825880270a15aa772a542db7ea52cca9d81f7f62a81636c4bfef9181
                    • Instruction ID: e63221a2c37719e80911909ae557f6498ac77f48bbe3ed049850bb69d1c23316
                    • Opcode Fuzzy Hash: 6a9bbe35825880270a15aa772a542db7ea52cca9d81f7f62a81636c4bfef9181
                    • Instruction Fuzzy Hash: 4F21F730E0991D9FDF94EFA8C894AEDB7F1FF59301F50012AE009E32A5DA34A9458B51
                    Function 00007FFD9B8B1CA8 Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b1001e75c6d2f46f1d06d556dc9f59d374af7be12ff7e72f4cfd1c6e2463eedb
                    • Instruction ID: 60d2aff39f4a1d6b62ca8dc1202244810b5b939ec0da29857d4d65db4629d203
                    • Opcode Fuzzy Hash: b1001e75c6d2f46f1d06d556dc9f59d374af7be12ff7e72f4cfd1c6e2463eedb
                    • Instruction Fuzzy Hash: 59211E70A096598FDB65DB688869BADB7F0FF18301F0041FAD41DA7292DB745980CF41
                    Function 00007FFD9B8B2265 Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 988b5ca640e6229b5858b160ced30b667765d5f3c5b8c1cf86dbd72633c4dfdd
                    • Instruction ID: 927aa356cc40e69e6b645c185bf71113c5f5b820a1003a420ee1da632436615b
                    • Opcode Fuzzy Hash: 988b5ca640e6229b5858b160ced30b667765d5f3c5b8c1cf86dbd72633c4dfdd
                    • Instruction Fuzzy Hash: 5F212931A0962D8FCB68DF58D850AEDB7F0FF99300F5052BAD04DA3295CB74AA41CB41
                    Function 00007FFD9B8B3691 Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4e781f668d2f8bfbbd845d83ef5edde684699d952fe24a4d4a6b84b7ce1416bb
                    • Instruction ID: b736a53f47eadb4f35e1e6df103d22ba7899bfc3c3689742d9985a53b1476f8e
                    • Opcode Fuzzy Hash: 4e781f668d2f8bfbbd845d83ef5edde684699d952fe24a4d4a6b84b7ce1416bb
                    • Instruction Fuzzy Hash: 57116D31A1995D8FDF80EF68C854AED77F0FF58300F0100B6E008E32A1CA349944CB81
                    Function 00007FFD9B8B16AB Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2b22dbdd693a373e1359a8950ea72f4c55927826cb90c8aaa29843ce53886164
                    • Instruction ID: 14fc3ebd954d2c9e08e9b84a4d6b28f3a200b89aab3fe73046a5e0d533196132
                    • Opcode Fuzzy Hash: 2b22dbdd693a373e1359a8950ea72f4c55927826cb90c8aaa29843ce53886164
                    • Instruction Fuzzy Hash: 3221EA70A1965D8FEBA5EB68C8647E8B7F5EF09300F4045E9D40DD7296CA38AA80CB00
                    Function 00007FFD9B8B1DC5 Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2ebe8dc2097b9e4e53ab1cbe948eec8a3641cbf5fd08fa276dd9e0c94c36a8f1
                    • Instruction ID: 2f8e52e03bd8583ee5d149143ebe1b9a5f91a80611d280cfaee364a0cdf12251
                    • Opcode Fuzzy Hash: 2ebe8dc2097b9e4e53ab1cbe948eec8a3641cbf5fd08fa276dd9e0c94c36a8f1
                    • Instruction Fuzzy Hash: CA214D70A496598FD7A5EF64C8557A8B7B1EF49300F0104F9C40DA72A2CB795D81CF01
                    Function 00007FFD9B8B36B0 Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 743f85768bd898c6e987fc25a137e9290bd6f27d0f06feda339d4306f99aff14
                    • Instruction ID: d6c536eb99bf9581cff4fdc0a91c87049d6b343ca24b73a59e4dc4eda3b5f9d3
                    • Opcode Fuzzy Hash: 743f85768bd898c6e987fc25a137e9290bd6f27d0f06feda339d4306f99aff14
                    • Instruction Fuzzy Hash: 2B110931A1892D9FDF90EFA8D854AEEB7F1FB58300F000576E419E32A5CA74A9548B90
                    Function 00007FFD9B8B1ED8 Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2427185bef3c296cb5d542d6cc95b5d83f288d59c83e293529cc35c263da423b
                    • Instruction ID: 8fe74c57dff1cff92d62f356ae4fe5e829c5a679ddd4715a12c4d10a7402501f
                    • Opcode Fuzzy Hash: 2427185bef3c296cb5d542d6cc95b5d83f288d59c83e293529cc35c263da423b
                    • Instruction Fuzzy Hash: C5114A70A496598FD795EF24C855BA8B7B1EF49300F0145F9C40DA72A2CB795D80CF01
                    Function 00007FFD9B8B117D Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ce9513f86997755ca03abaf78dcfb40fd589e4c06fdcd238b0f68ae2ef3ebdae
                    • Instruction ID: 4a1c4cdd51eb63b8a3d5e21afcb2e4cd3ea6767468a7548df4fef047b79ceeaf
                    • Opcode Fuzzy Hash: ce9513f86997755ca03abaf78dcfb40fd589e4c06fdcd238b0f68ae2ef3ebdae
                    • Instruction Fuzzy Hash: B7014530A4E69E4FE7629B7488246E53BF0EF42300F0441FBD008CB197DA384A468782
                    Function 00007FFD9B8B4595 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7804d3bb8d4b59ff0907df0ad943225e07170ef5aa0b3bebda34e8892cb39936
                    • Instruction ID: 048a412e06406ee316ca60ec97792ec19a1581d15483012f4df8e0658b0f9283
                    • Opcode Fuzzy Hash: 7804d3bb8d4b59ff0907df0ad943225e07170ef5aa0b3bebda34e8892cb39936
                    • Instruction Fuzzy Hash: E6018031A0EB9E4FEB629F788C264E97FB0FF0B340F4A11FBD499C60A2D92495548751
                    Function 00007FFD9B8B1AAA Relevance: .1, Instructions: 52COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c13081d9e9b5e37504f1fb985e1f7f653463915bd33a6a568927979c8e7f4a9f
                    • Instruction ID: 2ddf8da9c32daefb40c5e0ecad03e2697af87f02eec43fc0a92c85f6eb48f5ff
                    • Opcode Fuzzy Hash: c13081d9e9b5e37504f1fb985e1f7f653463915bd33a6a568927979c8e7f4a9f
                    • Instruction Fuzzy Hash: C3115770E095998FDB99EF68D8647ECB6B2EF5A300F0045EA910EE32D1CA741980CB01
                    Function 00007FFD9B8B0AF7 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a708034db2fd3077ccc4c7c3d1a2a6a25e61bc46bfb61c999c926a478836b2d2
                    • Instruction ID: 8287272ee4896292194313451145fa69ef42e313ce5a27c4234dc7a5d3b1952c
                    • Opcode Fuzzy Hash: a708034db2fd3077ccc4c7c3d1a2a6a25e61bc46bfb61c999c926a478836b2d2
                    • Instruction Fuzzy Hash: F1115674A05A8E8FCB85DF98C48469EBBF2FFA9300B10866AC409D7759D734D846CB41
                    Function 00007FFD9B8B19AE Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 78b162584c072d70708c7066aac2c42e87ce7faf090a10abfd033ad59f7986fe
                    • Instruction ID: 06117a9b0e7724662a1d26a57f99661ca6f886352ca10714814f7d725649c910
                    • Opcode Fuzzy Hash: 78b162584c072d70708c7066aac2c42e87ce7faf090a10abfd033ad59f7986fe
                    • Instruction Fuzzy Hash: 7E11C270909A589FDB92EB68CC59BDABBF0EF49301F4041E9D40DE7251DA356D81CF01
                    Function 00007FFD9B8B09BD Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a6a0f6531e94754693a9ff089d7db90669fdd86c6f284e85ba7ebe0ffc98e17d
                    • Instruction ID: e4016b30eca8c612174121b23001c2f9b1f4dfb545649b72db46f13c505a11c1
                    • Opcode Fuzzy Hash: a6a0f6531e94754693a9ff089d7db90669fdd86c6f284e85ba7ebe0ffc98e17d
                    • Instruction Fuzzy Hash: 9B01D430D1965D8FDB55EFB488686FCBBB0FF49300F4205AAD418D21A2DB35A644CB40
                    Function 00007FFD9B8B0865 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dac48243bf380858921ee0e28cf4aec454e8955cc32a7e0093032be13a17dc2f
                    • Instruction ID: 1adc20aa53f19344a7b59312d9e212fe3ae65718682274037f040109acd2a31d
                    • Opcode Fuzzy Hash: dac48243bf380858921ee0e28cf4aec454e8955cc32a7e0093032be13a17dc2f
                    • Instruction Fuzzy Hash: 62F06211A5F7DD4EE72757B94C750947F70FF56604F0A01B7C4988A0E3C9085A18C7A2
                    Function 00007FFD9B8B1FD8 Relevance: .0, Instructions: 30COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5cf4a3fd8274e50cf67ab0bf0422d2d21fd04fad9c59c3f7c98eaffdc6839dae
                    • Instruction ID: 6ae919a33cc966266d9c6decd3d2bb3504af276aa3ea6dae565352c338ed0787
                    • Opcode Fuzzy Hash: 5cf4a3fd8274e50cf67ab0bf0422d2d21fd04fad9c59c3f7c98eaffdc6839dae
                    • Instruction Fuzzy Hash: 92F0B271D4965D8FDB99EB64845579CBAF1EF58300F0041FE901ED7295DA7419848B01
                    Function 00007FFD9B8B0AB3 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 390b9fc77581d3999b8f7f8afb56d66f14b5a03953aa4cea992b4dc80ed2f7cc
                    • Instruction ID: a39c09bde297d49df39e5dd1ecf90f3c030c1933e4843926bdab1c482b117393
                    • Opcode Fuzzy Hash: 390b9fc77581d3999b8f7f8afb56d66f14b5a03953aa4cea992b4dc80ed2f7cc
                    • Instruction Fuzzy Hash: EFF0657061894E9FCB89EF68D494EDEB7F1FF59300F1082AAD009D7659CA34D842CB80
                    Function 00007FFD9B8BA3E4 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a0675c4c8bb37537a996ab2b5f53b96f4f272b8add44c4a2471766f7ece41852
                    • Instruction ID: f0e4b8aeef8a148778e9afba9d8386c8aabb81d1e0b2b014cb78eb6f595a70ed
                    • Opcode Fuzzy Hash: a0675c4c8bb37537a996ab2b5f53b96f4f272b8add44c4a2471766f7ece41852
                    • Instruction Fuzzy Hash: A2E01A34A0851DDFCB98DB98D895AEC7BA2FF68300F4180A9D009E3262CEB46C40CB40
                    Function 00007FFD9B8B38E3 Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2918279856.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ba7f2b75866d54b3d1b2de294d18b58addefcea961f3581ec5ea61e7e9d794af
                    • Instruction ID: 445b659173c9d31ee0c975d3da485b3c7863b90e07b4efe54aa1a7bf89abda62
                    • Opcode Fuzzy Hash: ba7f2b75866d54b3d1b2de294d18b58addefcea961f3581ec5ea61e7e9d794af
                    • Instruction Fuzzy Hash: D1E0127091A6564FC745DF60C8556EDB7F1EF45300F4044BDD05A8B6AACE381D198B51

                    Executed Functions

                    Function 00007FFD9B8A0490 Relevance: .4, Instructions: 384COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5ab412507b9cc78f90f6c2080bddf076f873c1bcfd0356896c4e5b6ddc50a17c
                    • Instruction ID: 9e8636872664c73a6e421b13a432b1db8fb0193dc99acfa3835587f8e40ce3f8
                    • Opcode Fuzzy Hash: 5ab412507b9cc78f90f6c2080bddf076f873c1bcfd0356896c4e5b6ddc50a17c
                    • Instruction Fuzzy Hash: 3FC18F71B0995D8FDB94EB6CE865AECBBF0FF59315F0402BAD04DD7192DA34A8818B40
                    Function 00007FFD9B8A05D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b86accb522d57a2b4117c3751af433481f5d75601f99bdb0ae4aa01ec3148950
                    • Instruction ID: 2fcccb03d141abc29d25835d4defab78ebb96242e3c52a927489df5ea06aad7d
                    • Opcode Fuzzy Hash: b86accb522d57a2b4117c3751af433481f5d75601f99bdb0ae4aa01ec3148950
                    • Instruction Fuzzy Hash: DCF0582290F3C94EEB2357A44C712A83F70AF47604F4A02F3E088DA0F3D91869598362
                    Function 00007FFD9B8A0A2D Relevance: .4, Instructions: 360COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5317ca995c62ada07856906e9689c8c153a480f217d7523042d177b2375aed3f
                    • Instruction ID: 2d5ee2d3f27373b32d79734e791099f7710670faefd1e44c783e24a2c5510b5a
                    • Opcode Fuzzy Hash: 5317ca995c62ada07856906e9689c8c153a480f217d7523042d177b2375aed3f
                    • Instruction Fuzzy Hash: 69D12E70A08A5D8FDB98DF18C850BA9B7F1FF6D300F1041EAD40DDB2A6CA31A995CB51
                    Function 00007FFD9B8A0598 Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 57e68f21fc03353e9351e133c184af1d9072c59cb6de71999c514c0d4098d057
                    • Instruction ID: 5454c11655e34ed04c5217b6a9d702e601c83620a752ef9ab326e461866d1a31
                    • Opcode Fuzzy Hash: 57e68f21fc03353e9351e133c184af1d9072c59cb6de71999c514c0d4098d057
                    • Instruction Fuzzy Hash: DD81D771A08A1D8FDB94EF58D895BADB7F1FF69305F1001AAD00DE7296DB34A881CB41
                    Function 00007FFD9B8A0DDD Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d54e2b37b90b9a4b5986d00fd9e04aa7544232f501ea20ad6358f1648812191c
                    • Instruction ID: f041cf4c393698e8f8127cfe9a406b2ad19da7941ac837abb074cea65295c40e
                    • Opcode Fuzzy Hash: d54e2b37b90b9a4b5986d00fd9e04aa7544232f501ea20ad6358f1648812191c
                    • Instruction Fuzzy Hash: 4281DA70A08A5D8FDF94EF58C855BACBBF1FF69301F1001AAD00DE7296CA74A881CB41
                    Function 00007FFD9B8A05D0 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f24d28cb652c256b8480fddfb050816ebdee54597d7d205c8efbdb3479c5ff06
                    • Instruction ID: d42de2b0a10d0a3f0afcc9da3bf27b8aa07289d377df2c142cea4841772c035a
                    • Opcode Fuzzy Hash: f24d28cb652c256b8480fddfb050816ebdee54597d7d205c8efbdb3479c5ff06
                    • Instruction Fuzzy Hash: 6481A470A08A1D8FDF94EF58C895BADB7F1FB69305F1001AAE00DE7295DB74A981CB41
                    Function 00007FFD9B8A1085 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 39e70eebc76440f050cad0c824b674c0a5e607698bdafe7478c1d736fa8e35df
                    • Instruction ID: bdc3fc28eccc7d4ddb9fd8b8db96512839d7d4820fdb9ca8d85a6887722b1b68
                    • Opcode Fuzzy Hash: 39e70eebc76440f050cad0c824b674c0a5e607698bdafe7478c1d736fa8e35df
                    • Instruction Fuzzy Hash: 6931F731E0E28E4FDB15ABB094216FA7BB0EF06314F0500BAE059D31D7CE6D9556C751
                    Function 00007FFD9B8A09BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.1680602904.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_7_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c8d75f6cda2d29c7687908d8a79a073d549b7807f53f36bbca3b1fbcec9aa82
                    • Instruction ID: 7733a9130b454fe67dbc55195816d3372f7a5581563e259d61209297dd2529b1
                    • Opcode Fuzzy Hash: 2c8d75f6cda2d29c7687908d8a79a073d549b7807f53f36bbca3b1fbcec9aa82
                    • Instruction Fuzzy Hash: 33018F30D5A64D8FDB55EFA488A82FCBBB0FF59300F4606AAD01CD21A2DB759A44C701

                    Executed Functions

                    Function 00007FFD9B890490 Relevance: .4, Instructions: 384COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c6323cbb4f855b9f0f8a6c6a0ec0c48e9ceea3b0d9268d6f3dd7cded2c88efdb
                    • Instruction ID: 0f56465ba79302e494564be26c439adfe3dae84a64d3ab22f1530c0772135663
                    • Opcode Fuzzy Hash: c6323cbb4f855b9f0f8a6c6a0ec0c48e9ceea3b0d9268d6f3dd7cded2c88efdb
                    • Instruction Fuzzy Hash: F7C18371A0896D8FDB55EBACD865AECBBF0FF58315F1401BAD04DD7192DA34A881CB40
                    Function 00007FFD9B8905D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8014ed596f3f66429f7f1ee57832eff26723fb2b29c9719616b52acb8f477771
                    • Instruction ID: 467fa1369249bd188ff0f019293d8c48379c865be93c1482778cea8c8be3c4f2
                    • Opcode Fuzzy Hash: 8014ed596f3f66429f7f1ee57832eff26723fb2b29c9719616b52acb8f477771
                    • Instruction Fuzzy Hash: 5DF05822A0F3C94EEB2357A44C711A43F70EF47604F4A01F7E098DA0F3D91869498352
                    Function 00007FFD9B890A2D Relevance: .4, Instructions: 360COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fd29746493714c589225983efbcf17e1627a647e812c363a6cf315271f82a015
                    • Instruction ID: 8364ce0de932c8faddd0ec160d9bd90a71b3fc70919f1f4041a15173f1d17d12
                    • Opcode Fuzzy Hash: fd29746493714c589225983efbcf17e1627a647e812c363a6cf315271f82a015
                    • Instruction Fuzzy Hash: 3DD18470A19A8D8FDB99DF18C854BA9BBF1FF69300F1042EAD40DD7296CA349D85CB41
                    Function 00007FFD9B890598 Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f9a1dd2612c93314b8fb3d41589faa5b0c36e598987ff1ffc8a4a73517c4b8ce
                    • Instruction ID: 780f596ce05df4b2334a93b5e04f43cbeea9d3b46d2b28bd46ae553ef3232715
                    • Opcode Fuzzy Hash: f9a1dd2612c93314b8fb3d41589faa5b0c36e598987ff1ffc8a4a73517c4b8ce
                    • Instruction Fuzzy Hash: 7181C771A08A1D8FDF94EF58D895BADBBF1FF59305F1001AAD00DE7296DB34A8818B41
                    Function 00007FFD9B890DDD Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b2b0eb969b7da0de5d31585d6ddcec01e8bd922da897c285f538f5bfbda3f645
                    • Instruction ID: f132ecf22d3129518bc9519290bad42513e4c4f74c185d04e427d207074f093e
                    • Opcode Fuzzy Hash: b2b0eb969b7da0de5d31585d6ddcec01e8bd922da897c285f538f5bfbda3f645
                    • Instruction Fuzzy Hash: 4681C970A08A5D8FDF94EF58C855BACBBF1FF59301F1001AAD00DD7296CA74A981CB41
                    Function 00007FFD9B8905D0 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fb7ae2cdb276722c15153974c23b5910103567256f4bf72448824a50d66d6cf2
                    • Instruction ID: 93eb92d364092717ac15e71993521046a00b94a3b7e68bdfa83c5af68da4dfd0
                    • Opcode Fuzzy Hash: fb7ae2cdb276722c15153974c23b5910103567256f4bf72448824a50d66d6cf2
                    • Instruction Fuzzy Hash: 5081A470A08A1D8FDF94EF58C895BADBBF1FB69301F1001A9E00DE7295DB74A981CB41
                    Function 00007FFD9B891085 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 78b58adc681cfc8324ce698fe9872bf8980093f7baabc8315c6adc0f2a072ebe
                    • Instruction ID: 79c07cc6323c5dc91139b8a93fa30203895989a0798b650c075ad6fe3fc01f5d
                    • Opcode Fuzzy Hash: 78b58adc681cfc8324ce698fe9872bf8980093f7baabc8315c6adc0f2a072ebe
                    • Instruction Fuzzy Hash: A831F731E0E28E5FEB16ABA094216FA7BB0EF06314F0500BAE059D31D7CE7D9556C791
                    Function 00007FFD9B8909BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.1705767632.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 91e89eeed0d74d42584b1522a9da65fe3aa5cfa1e1f53e45cb1cb935b1f0e24e
                    • Instruction ID: 88de7429d39f93029f9f4117760e5b05dc3fdda44d65ea31d3ae255599a4aa23
                    • Opcode Fuzzy Hash: 91e89eeed0d74d42584b1522a9da65fe3aa5cfa1e1f53e45cb1cb935b1f0e24e
                    • Instruction Fuzzy Hash: 2D018431D1964D8FDB55EFA484682FDBFB0FF59300F4205AAD058D61A2DB759A44C701

                    Executed Functions

                    Function 00007FFD9B8905D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.1760097258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8014ed596f3f66429f7f1ee57832eff26723fb2b29c9719616b52acb8f477771
                    • Instruction ID: 467fa1369249bd188ff0f019293d8c48379c865be93c1482778cea8c8be3c4f2
                    • Opcode Fuzzy Hash: 8014ed596f3f66429f7f1ee57832eff26723fb2b29c9719616b52acb8f477771
                    • Instruction Fuzzy Hash: 5DF05822A0F3C94EEB2357A44C711A43F70EF47604F4A01F7E098DA0F3D91869498352
                    Function 00007FFD9B890DDD Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.1760097258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e2770a54e93e38ac75c52ab526031209ff06d66f6c3554d0eb06cc1f153477f
                    • Instruction ID: 864762fa7a930bd23661c4fbecc33c40b63e5f3e8109e4ec927888e89467b93f
                    • Opcode Fuzzy Hash: 8e2770a54e93e38ac75c52ab526031209ff06d66f6c3554d0eb06cc1f153477f
                    • Instruction Fuzzy Hash: E371C970A09A5D8FDF94EF68C855BADBBF1FF59301F1001AAE04DD7296CA74A881CB41
                    Function 00007FFD9B8905D0 Relevance: .2, Instructions: 200COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.1760097258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3fa546a950a852d2642d7dc48ad0495d1f23543b362333fd9b282611a8a3da21
                    • Instruction ID: cf17dcfcfdac93dcab17832de2753d240118972465f657d2f5088f3865a8ed5a
                    • Opcode Fuzzy Hash: 3fa546a950a852d2642d7dc48ad0495d1f23543b362333fd9b282611a8a3da21
                    • Instruction Fuzzy Hash: 1C61B670A08A5D8FDF94EF68C855BADBBF1FB69305F5001A9E00DD7295CA74A9818B40
                    Function 00007FFD9B890AF7 Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.1760097258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97e60b8bb1277cefdf8b4e515d8aa7cf8c8bd8ea4baeeffff8a58161ea577ed7
                    • Instruction ID: 1d84f57496d2ce5e513e46ab34e46c0f636532fc1dc15b7371d6bb71e3a34190
                    • Opcode Fuzzy Hash: 97e60b8bb1277cefdf8b4e515d8aa7cf8c8bd8ea4baeeffff8a58161ea577ed7
                    • Instruction Fuzzy Hash: DE11D674A0568E8FCBC4DF98C49469EBBF2FF68310B14466AC419D7759DB34D846CB40
                    Function 00007FFD9B8909BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.1760097258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 91e89eeed0d74d42584b1522a9da65fe3aa5cfa1e1f53e45cb1cb935b1f0e24e
                    • Instruction ID: 88de7429d39f93029f9f4117760e5b05dc3fdda44d65ea31d3ae255599a4aa23
                    • Opcode Fuzzy Hash: 91e89eeed0d74d42584b1522a9da65fe3aa5cfa1e1f53e45cb1cb935b1f0e24e
                    • Instruction Fuzzy Hash: 2D018431D1964D8FDB55EFA484682FDBFB0FF59300F4205AAD058D61A2DB759A44C701
                    Function 00007FFD9B890AA0 Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000009.00000002.1760097258.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 60a548d446d72fd48ea3f3e8a4d59bb77b6839c7bb380b2bf00689903af61e7d
                    • Instruction ID: 40d0f23ccf02469e1d54dbb024fdcfeb88163e9979277b33d0d21528c11afb60
                    • Opcode Fuzzy Hash: 60a548d446d72fd48ea3f3e8a4d59bb77b6839c7bb380b2bf00689903af61e7d
                    • Instruction Fuzzy Hash: 51F0FF70619A8E9FCB85EF24D88899EBBB2FF6420070442EDD049C715AD634A845C741

                    Executed Functions

                    Function 00007FFD9B8A05D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.1845003276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b86accb522d57a2b4117c3751af433481f5d75601f99bdb0ae4aa01ec3148950
                    • Instruction ID: 2fcccb03d141abc29d25835d4defab78ebb96242e3c52a927489df5ea06aad7d
                    • Opcode Fuzzy Hash: b86accb522d57a2b4117c3751af433481f5d75601f99bdb0ae4aa01ec3148950
                    • Instruction Fuzzy Hash: DCF0582290F3C94EEB2357A44C712A83F70AF47604F4A02F3E088DA0F3D91869598362
                    Function 00007FFD9B8A0DDD Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.1845003276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6b64202dadb9cce98e82851f4f02a348d23a60516f8749fcedb8220092b3cc89
                    • Instruction ID: 4760daf7f4e5cf2c39f7b4f657104636d8744b89261c915782b0cc16a197d2ea
                    • Opcode Fuzzy Hash: 6b64202dadb9cce98e82851f4f02a348d23a60516f8749fcedb8220092b3cc89
                    • Instruction Fuzzy Hash: 2171EA70A09A5D8FDB94EF68C855BADBBF1FF59301F1001AAE04DD7296CB74A881CB41
                    Function 00007FFD9B8A05D0 Relevance: .2, Instructions: 200COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.1845003276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dde4c3ad753be780901b1913b70a7acc9cbfdb62a78421e559ff233dd47318df
                    • Instruction ID: e26bbb8f5017903f4442872670fca13488e7e37cf575b99b8936e20aaaee90b3
                    • Opcode Fuzzy Hash: dde4c3ad753be780901b1913b70a7acc9cbfdb62a78421e559ff233dd47318df
                    • Instruction Fuzzy Hash: 4861C670A08A5D8FDB94EF68C895BADB7F1FF69305F5001A9E00DE7295CB74A881CB41
                    Function 00007FFD9B8A0AF7 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.1845003276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 747535d91d526acf5026019ac03388a827aaf154604314d2181e39a52e0dc5e9
                    • Instruction ID: cac9435e62d3373eeb98a669b34702e4784f1fa7ce0fc8b4f37691cc5f034e0d
                    • Opcode Fuzzy Hash: 747535d91d526acf5026019ac03388a827aaf154604314d2181e39a52e0dc5e9
                    • Instruction Fuzzy Hash: BA11E174A05A8E8FCB84DF98C48469EBBF2FF69311B2446AAC409D7759D634D846CB80
                    Function 00007FFD9B8A09BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.1845003276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c8d75f6cda2d29c7687908d8a79a073d549b7807f53f36bbca3b1fbcec9aa82
                    • Instruction ID: 7733a9130b454fe67dbc55195816d3372f7a5581563e259d61209297dd2529b1
                    • Opcode Fuzzy Hash: 2c8d75f6cda2d29c7687908d8a79a073d549b7807f53f36bbca3b1fbcec9aa82
                    • Instruction Fuzzy Hash: 33018F30D5A64D8FDB55EFA488A82FCBBB0FF59300F4606AAD01CD21A2DB759A44C701
                    Function 00007FFD9B8A0AB8 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.1845003276.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffd9b8a0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 049a6fe12331a07f8a2d9cfe8a04dfbc88cf648bb36dd895e2c5fb2fbde77b81
                    • Instruction ID: 9d8de941fee873a0bc50f16d410294373f6f900d1a2a2e675e6e678853fa3026
                    • Opcode Fuzzy Hash: 049a6fe12331a07f8a2d9cfe8a04dfbc88cf648bb36dd895e2c5fb2fbde77b81
                    • Instruction Fuzzy Hash: 68F0E57061894E9FCF85EF58D494ADDB7F1FF58310B2142A9D00DD7655DA34D846CB40

                    Executed Functions

                    Function 00007FFD9B8905D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.1924629117.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8014ed596f3f66429f7f1ee57832eff26723fb2b29c9719616b52acb8f477771
                    • Instruction ID: 467fa1369249bd188ff0f019293d8c48379c865be93c1482778cea8c8be3c4f2
                    • Opcode Fuzzy Hash: 8014ed596f3f66429f7f1ee57832eff26723fb2b29c9719616b52acb8f477771
                    • Instruction Fuzzy Hash: 5DF05822A0F3C94EEB2357A44C711A43F70EF47604F4A01F7E098DA0F3D91869498352
                    Function 00007FFD9B890DDD Relevance: .2, Instructions: 216COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.1924629117.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e2770a54e93e38ac75c52ab526031209ff06d66f6c3554d0eb06cc1f153477f
                    • Instruction ID: 864762fa7a930bd23661c4fbecc33c40b63e5f3e8109e4ec927888e89467b93f
                    • Opcode Fuzzy Hash: 8e2770a54e93e38ac75c52ab526031209ff06d66f6c3554d0eb06cc1f153477f
                    • Instruction Fuzzy Hash: E371C970A09A5D8FDF94EF68C855BADBBF1FF59301F1001AAE04DD7296CA74A881CB41
                    Function 00007FFD9B8905D0 Relevance: .2, Instructions: 200COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.1924629117.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3fa546a950a852d2642d7dc48ad0495d1f23543b362333fd9b282611a8a3da21
                    • Instruction ID: cf17dcfcfdac93dcab17832de2753d240118972465f657d2f5088f3865a8ed5a
                    • Opcode Fuzzy Hash: 3fa546a950a852d2642d7dc48ad0495d1f23543b362333fd9b282611a8a3da21
                    • Instruction Fuzzy Hash: 1C61B670A08A5D8FDF94EF68C855BADBBF1FB69305F5001A9E00DD7295CA74A9818B40
                    Function 00007FFD9B890AF7 Relevance: .0, Instructions: 48COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.1924629117.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ecd8aaf80acedf9c8b930ac742c9c7f2b5752d1e890401abdb4a4e4174244395
                    • Instruction ID: b7e7f6db3de5eef85e43a3f64bef66eaa6792a5b1333b7fad262e19946911339
                    • Opcode Fuzzy Hash: ecd8aaf80acedf9c8b930ac742c9c7f2b5752d1e890401abdb4a4e4174244395
                    • Instruction Fuzzy Hash: C1110474A05A8E8FCBC5DF98C48469EBBF2FF69310B10466AC409D7759DB34D846CB40
                    Function 00007FFD9B8909BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.1924629117.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 91e89eeed0d74d42584b1522a9da65fe3aa5cfa1e1f53e45cb1cb935b1f0e24e
                    • Instruction ID: 88de7429d39f93029f9f4117760e5b05dc3fdda44d65ea31d3ae255599a4aa23
                    • Opcode Fuzzy Hash: 91e89eeed0d74d42584b1522a9da65fe3aa5cfa1e1f53e45cb1cb935b1f0e24e
                    • Instruction Fuzzy Hash: 2D018431D1964D8FDB55EFA484682FDBFB0FF59300F4205AAD058D61A2DB759A44C701
                    Function 00007FFD9B890AB8 Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.1924629117.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_7ffd9b890000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 389915e7ef05c71e7b556442a9fbc22eb5407bd5920972f2e9dee9e82b9e9b05
                    • Instruction ID: 351b89393b50ef351584bcd601594e0eb62cba4bcaa3c9c01982cf3f45ab8d54
                    • Opcode Fuzzy Hash: 389915e7ef05c71e7b556442a9fbc22eb5407bd5920972f2e9dee9e82b9e9b05
                    • Instruction Fuzzy Hash: C1F06D7061894E8FCBC8EF68C490AAEB7F1FF58300B1042AAD009D3669CA34EC42CB40

                    Executed Functions

                    Function 00007FFD9B880490 Relevance: .4, Instructions: 384COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c2af0702f2f9c54cbe6502080191dc9ecdc4662a3ee158c268cbbdb61b25810a
                    • Instruction ID: 417fe54831fa0efbfbbc64e25c9c7687151a5049f19640887b29274aea005312
                    • Opcode Fuzzy Hash: c2af0702f2f9c54cbe6502080191dc9ecdc4662a3ee158c268cbbdb61b25810a
                    • Instruction Fuzzy Hash: 65C19E71A0895D8FDB94EB6CE8A5AEC7BF0FF98315F0401BAD04CD7192DA34A8858B40
                    Function 00007FFD9B8805D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 70f2f5914c0557b3697c43ee73eaf545684db19a540d7d908819919fc435ece5
                    • Instruction ID: 32399a192f8da41e159b2f2f4d0fbebcdb64a49f288c02c05f5949029e8e8db6
                    • Opcode Fuzzy Hash: 70f2f5914c0557b3697c43ee73eaf545684db19a540d7d908819919fc435ece5
                    • Instruction Fuzzy Hash: 20F0582290F7C94FE7335BA458711A43F70AF47604F0A01F3E0A88A0F3D92869498362
                    Function 00007FFD9B880A2D Relevance: .4, Instructions: 360COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 60e61a4d6bb3067fe025eb69a4be8c6f891f4397626f677d70d71f669a05a0ca
                    • Instruction ID: 2b1b473b9ac3cf154b2e928bf1f83e55ffa0da96aab374845fa582e1ae4ed998
                    • Opcode Fuzzy Hash: 60e61a4d6bb3067fe025eb69a4be8c6f891f4397626f677d70d71f669a05a0ca
                    • Instruction Fuzzy Hash: 94D16F30A09A4E8FDB88DF68C854BA9B7F1FF59300F1441AAD40DD7296DB34AD86CB51
                    Function 00007FFD9B880598 Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bbf96a1729584cb233a5748b413c2171d36d60fb1452943470c968e1109fa80e
                    • Instruction ID: 0af9191ad3a92480bdd89e8c85baaa4d11ae2cdb232a85580283e5f5ae1b862d
                    • Opcode Fuzzy Hash: bbf96a1729584cb233a5748b413c2171d36d60fb1452943470c968e1109fa80e
                    • Instruction Fuzzy Hash: 5D81E770A08A1D8FDB94EF58D895BADB7F1FF69301F1001AAD01DE7292DB34A881CB40
                    Function 00007FFD9B880DDD Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4e3dea860659a27be75bb6611dd2ebc1c40082f9a9e18a66a10f2eb371fd2c84
                    • Instruction ID: ed074c29dce0a51c072e8bb4ddbced1e85a4c4e9086f02186bb203227423b775
                    • Opcode Fuzzy Hash: 4e3dea860659a27be75bb6611dd2ebc1c40082f9a9e18a66a10f2eb371fd2c84
                    • Instruction Fuzzy Hash: C381CA70A08A5D8FDF94EF58C855BADBBF1FF69301F1001AAD01DD7296CA74A881CB41
                    Function 00007FFD9B8805D0 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d3bdacdc80b340362aba0b5899001f98aa2eb5283e9b5650f1eef828b835c16
                    • Instruction ID: f10592d50d03bcb96dcf9d363ce3535c1caca4c969c3243cab0246489995b960
                    • Opcode Fuzzy Hash: 7d3bdacdc80b340362aba0b5899001f98aa2eb5283e9b5650f1eef828b835c16
                    • Instruction Fuzzy Hash: F081A470A08A1D8FDF94EF58C895BADB7F1FB69301F1001AAE01DE7295DB74A981CB41
                    Function 00007FFD9B881085 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ad597f4f03224f2910cf194dd7e1c08dd77fe20d380d662fcfd118cfef3ffd9
                    • Instruction ID: 6d05074fd20e1b97d337dd72859e8468739f9c9598704dff8db273e33d85a87e
                    • Opcode Fuzzy Hash: 8ad597f4f03224f2910cf194dd7e1c08dd77fe20d380d662fcfd118cfef3ffd9
                    • Instruction Fuzzy Hash: 2C312731E0E68E4FDB52ABA098216FA7BB1EF0A314F0500BAE069D31D3CE7D9545C751
                    Function 00007FFD9B8809BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2004373861.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_7ffd9b880000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c034d87fdca72f3645a624506f7d280bddbc149edc70a064d57358e64b012e29
                    • Instruction ID: 3d6f4eb65bd5644d01a392b87585fa3bc643f6bf0085b29906a87b0dffec0de6
                    • Opcode Fuzzy Hash: c034d87fdca72f3645a624506f7d280bddbc149edc70a064d57358e64b012e29
                    • Instruction Fuzzy Hash: AE018F30D1AA4D8FDB55EFA4C8686FCBBB1FF59300F4205AAD018D71A2DB75AA44C741

                    Executed Functions

                    Function 00007FFD9B8B0490 Relevance: .4, Instructions: 384COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 570862423ac60e492943fbd9023f403c682aca923cac5c04433a42cd531876c9
                    • Instruction ID: 092f543b0b95b7ca63ebfd7fc55e729bf01d463bf29924d7c9d026343d2792f2
                    • Opcode Fuzzy Hash: 570862423ac60e492943fbd9023f403c682aca923cac5c04433a42cd531876c9
                    • Instruction Fuzzy Hash: 2BC18171B0896D8FDB94EBACD865AEC7BF0FF59315F0401BAD04CD7192DA34A8818B81
                    Function 00007FFD9B8B05D5 Relevance: .4, Instructions: 362COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5f3a3ed2a688095d0675b230dc1c949811638029b67f9352f82be4cf51a516fb
                    • Instruction ID: 6cebec11ef472185418de104dbc0c278c506a6695f3a58c71a84dbb307704bc7
                    • Opcode Fuzzy Hash: 5f3a3ed2a688095d0675b230dc1c949811638029b67f9352f82be4cf51a516fb
                    • Instruction Fuzzy Hash: 61F0582290F3C94EEB2357A44C715A43F70AF87604F0A02F7E088CA0F3D9186A4987A2
                    Function 00007FFD9B8B0A2D Relevance: .4, Instructions: 360COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a5403841d62728353f62f975174e2dbdb4dea759830c9347443dbee0679d9302
                    • Instruction ID: e3a38ac54c49807dca4050627d700420771e3fd05efc262d64a10b37556c341d
                    • Opcode Fuzzy Hash: a5403841d62728353f62f975174e2dbdb4dea759830c9347443dbee0679d9302
                    • Instruction Fuzzy Hash: 94D16270A19A5D8FDB98DF58C490BAD77F1FF69300F1042AAD40DE7296CA30AA45CF91
                    Function 00007FFD9B8B0598 Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b8fbe80cb07a154920a130025729e68dc2135674009dc8bfe8234d4ca7452ed7
                    • Instruction ID: 447f14749e66b2e5ef8d1f9503de0a52fcdbc8bda525d39331fe7328f910bce7
                    • Opcode Fuzzy Hash: b8fbe80cb07a154920a130025729e68dc2135674009dc8bfe8234d4ca7452ed7
                    • Instruction Fuzzy Hash: DC81C771A08A1D8FDB94EF68D895BADB7F1FF59305F1001AAD00DE7296DA34A8818B41
                    Function 00007FFD9B8B0DDD Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cafe02e598d3d79494fd0dbef6dc881f4e743520dd440fce82555a8aacd70e4b
                    • Instruction ID: bae653903b21149c5e259a99e37edcf658ce251f1e8055f32eff6910c22ffa8f
                    • Opcode Fuzzy Hash: cafe02e598d3d79494fd0dbef6dc881f4e743520dd440fce82555a8aacd70e4b
                    • Instruction Fuzzy Hash: 7981CA70A08A5D8FDF94EF68C855BACBBF1FF59301F1401AAD00DD7296CA74A881CB41
                    Function 00007FFD9B8B05D0 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dd37335db3186c92685993ca5a83b2e6191a8f04380ad802228fde167113b068
                    • Instruction ID: 53863e7e059b3fb8c4f04df0ff17a35c9d2b9219a5289c32fdf1886ef2bc8fd4
                    • Opcode Fuzzy Hash: dd37335db3186c92685993ca5a83b2e6191a8f04380ad802228fde167113b068
                    • Instruction Fuzzy Hash: 8481A470A08A1D8FDF94EF68C895BADB7F1FB69301F1001A9E00DE7295DB74A981CB41
                    Function 00007FFD9B8B1085 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a5fe360e0767f7604d60c5b74aa9f772ecf0cacf81aff6288e86e7ac85b5d7e3
                    • Instruction ID: f8464de9285b1cff5333c755f759b99ca7a967d3194203241e688b01d5252ba7
                    • Opcode Fuzzy Hash: a5fe360e0767f7604d60c5b74aa9f772ecf0cacf81aff6288e86e7ac85b5d7e3
                    • Instruction Fuzzy Hash: 5E310631E1E29A4FDB11ABB094216FA7BB1EF06314F0500BAE059D70D3CE6D9656CB91
                    Function 00007FFD9B8B09BD Relevance: .0, Instructions: 43COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000010.00000002.2296262175.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_16_2_7ffd9b8b0000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7cfe2732ebb438514acb27108bbdba38717baf854502e97fb3a14f5c0fc22ac5
                    • Instruction ID: e4016b30eca8c612174121b23001c2f9b1f4dfb545649b72db46f13c505a11c1
                    • Opcode Fuzzy Hash: 7cfe2732ebb438514acb27108bbdba38717baf854502e97fb3a14f5c0fc22ac5
                    • Instruction Fuzzy Hash: 9B01D430D1965D8FDB55EFB488686FCBBB0FF49300F4205AAD418D21A2DB35A644CB40

                    Executed Functions

                    Function 00007FFD9B870490 Relevance: .4, Instructions: 384COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b25125ca1863cc079e42933b9a311512656c0cf7296f611c8052da34a0764d00
                    • Instruction ID: 4fbd4852c1f88ce9a2df8be9023bedbb571a893f17d67c83ef553cc379478cfd
                    • Opcode Fuzzy Hash: b25125ca1863cc079e42933b9a311512656c0cf7296f611c8052da34a0764d00
                    • Instruction Fuzzy Hash: CEC18271A0855D8FDB94EBACE8A5AED7BF1EF58314F1401BAE04DD7192DA34A881CB40
                    Function 00007FFD9B870A2D Relevance: .3, Instructions: 315COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f3c7b121e9a78cac5f428174fd5a4aac5cd8c48d7fb0be0ad29265e12b19902
                    • Instruction ID: 9ff51099774820de8c5d31b1699f520d08d90e4ff21726b22bf88e4f950a8f8e
                    • Opcode Fuzzy Hash: 1f3c7b121e9a78cac5f428174fd5a4aac5cd8c48d7fb0be0ad29265e12b19902
                    • Instruction Fuzzy Hash: D1C12074A1495D8FDB88EF58C894BE9B7B2FFA8304F1082AAD40DE7359DA30D941CB51
                    Function 00007FFD9B870598 Relevance: .3, Instructions: 257COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 469892e56e4373efc1a6662fdb44419212bf4e7447dc751fbdab3b1776e059a8
                    • Instruction ID: e4d5b75ef267b7bd40040f6b41c26f4d56ca3086ce206521850dbf699e3652ac
                    • Opcode Fuzzy Hash: 469892e56e4373efc1a6662fdb44419212bf4e7447dc751fbdab3b1776e059a8
                    • Instruction Fuzzy Hash: 1991D971A0891D8FDF94EF98D895BADB7F1FF59315F1001AAE00DE7295DB34A8818B40
                    Function 00007FFD9B8705D0 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 25a4a9e7db152e75e09cb61337a19600eb17126a30a7e2175ab09cc3e1c917e1
                    • Instruction ID: f539b450b2eda9f59d8c3f74d3031ae82ed046e6761c26fea19bf6a0177d36f4
                    • Opcode Fuzzy Hash: 25a4a9e7db152e75e09cb61337a19600eb17126a30a7e2175ab09cc3e1c917e1
                    • Instruction Fuzzy Hash: E5819470A08A1D8FDF94EF58C895BADB7F1FB69305F1001A9E00DE7295DB74A981CB41
                    Function 00007FFD9B870DFC Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 138a542f83ab3bad7847ad2c727946804868732626680c414e7fe17bb13e0724
                    • Instruction ID: 33439fd970bb868e8d9acae4d01981cc46ad0c41c6d071becb816b38a4d198a0
                    • Opcode Fuzzy Hash: 138a542f83ab3bad7847ad2c727946804868732626680c414e7fe17bb13e0724
                    • Instruction Fuzzy Hash: 5681A470A08A5D8FDF94EF58C895BADB7F1FF69305F1001AAE00DE7295DA74A980CB41
                    Function 00007FFD9B871085 Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ca1b2b83782a84892af80043c5f69c94811b35f3f17c6b7e04412a1564df4153
                    • Instruction ID: 637597c52a77fe69c83ab84bcb28701819af878bbdfad6555e85d35538e5e32d
                    • Opcode Fuzzy Hash: ca1b2b83782a84892af80043c5f69c94811b35f3f17c6b7e04412a1564df4153
                    • Instruction Fuzzy Hash: 59312731E1E28E4FDB12ABA094616FA7BB0EF06318F0500BAE059D71D3CE6D9646C751
                    Function 00007FFD9B8709BD Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3debf0420c9316296ab6df9d63a39ff3b3b9ce0b885e10cefd5ca516f57700e2
                    • Instruction ID: aca8d7ef270da607981c9832e41602daf72cb8e87191e451fa35e25f15a43dc2
                    • Opcode Fuzzy Hash: 3debf0420c9316296ab6df9d63a39ff3b3b9ce0b885e10cefd5ca516f57700e2
                    • Instruction Fuzzy Hash: 05017170D1964D8FDB55EFA484A82FDBBB0FF59304F4209AAD018D31A2DB75A644C741
                    Function 00007FFD9B87088C Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.2898535778.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_18_2_7ffd9b870000_Injector.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e621b9af553db9b33c0f5c0d6aeb72c368c3096d2e720f18b48d5efd4c45ae56
                    • Instruction ID: a5b2da68cf3df504bfdefa64215c27995a9b2af9a2345bb1775129e741c44c34
                    • Opcode Fuzzy Hash: e621b9af553db9b33c0f5c0d6aeb72c368c3096d2e720f18b48d5efd4c45ae56
                    • Instruction Fuzzy Hash: D8D02E3282E04D8AEF362BD408A11E83A50FF8820CF0100B0E44C820E2DE282228A282