Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7jmd8E2KEb.exe

Overview

General Information

Sample name:7jmd8E2KEb.exe
renamed because original name is a hash value
Original sample name:B1D049996722004FA0C8A9B61CF813EB.exe
Analysis ID:1537507
MD5:b1d049996722004fa0c8a9b61cf813eb
SHA1:b8fee28ca9f7e3a43840e71c5372a2474873796b
SHA256:e39ed141c0cf3973783231931ce8a16f371563b37ec57f02933e8929a1086d42
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7jmd8E2KEb.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\7jmd8E2KEb.exe" MD5: B1D049996722004FA0C8A9B61CF813EB)
    • powershell.exe (PID: 3156 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6312 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6316 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7jmd8E2KEb.exe (PID: 4456 cmdline: "C:\Users\user\Desktop\7jmd8E2KEb.exe" MD5: B1D049996722004FA0C8A9B61CF813EB)
      • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • eFXWrQYLi.exe (PID: 6916 cmdline: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe MD5: B1D049996722004FA0C8A9B61CF813EB)
    • schtasks.exe (PID: 5816 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • eFXWrQYLi.exe (PID: 1516 cmdline: "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe" MD5: B1D049996722004FA0C8A9B61CF813EB)
      • conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["204.10.161.140:27667"], "Bot Id": "button1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 7jmd8E2KEb.exe PID: 4456JoeSecurity_RedLineYara detected RedLine StealerJoe Security
    Process Memory Space: eFXWrQYLi.exe PID: 6916JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7jmd8E2KEb.exe", ParentImage: C:\Users\user\Desktop\7jmd8E2KEb.exe, ParentProcessId: 6944, ParentProcessName: 7jmd8E2KEb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", ProcessId: 3156, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7jmd8E2KEb.exe", ParentImage: C:\Users\user\Desktop\7jmd8E2KEb.exe, ParentProcessId: 6944, ParentProcessName: 7jmd8E2KEb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", ProcessId: 3156, ProcessName: powershell.exe
      Sigma detected: Suspicious Add Scheduled Task Parent
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe, ParentImage: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe, ParentProcessId: 6916, ParentProcessName: eFXWrQYLi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp", ProcessId: 5816, ProcessName: schtasks.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7jmd8E2KEb.exe", ParentImage: C:\Users\user\Desktop\7jmd8E2KEb.exe, ParentProcessId: 6944, ParentProcessName: 7jmd8E2KEb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp", ProcessId: 6316, ProcessName: schtasks.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7jmd8E2KEb.exe", ParentImage: C:\Users\user\Desktop\7jmd8E2KEb.exe, ParentProcessId: 6944, ParentProcessName: 7jmd8E2KEb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe", ProcessId: 3156, ProcessName: powershell.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7jmd8E2KEb.exe", ParentImage: C:\Users\user\Desktop\7jmd8E2KEb.exe, ParentProcessId: 6944, ParentProcessName: 7jmd8E2KEb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp", ProcessId: 6316, ProcessName: schtasks.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0.2.7jmd8E2KEb.exe.43ab340.3.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["204.10.161.140:27667"], "Bot Id": "button1"}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeReversingLabs: Detection: 78%
      Multi AV Scanner detection for submitted file
      Source: 7jmd8E2KEb.exeReversingLabs: Detection: 78%
      Source: 7jmd8E2KEb.exeVirustotal: Detection: 58%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: 7jmd8E2KEb.exeJoe Sandbox ML: detected
      Source: 7jmd8E2KEb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 7jmd8E2KEb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 4x nop then jmp 09BF8101h0_2_09BF84D9
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 4x nop then jmp 09BF8101h0_2_09BF87EF
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 4x nop then jmp 09BF8101h0_2_09BF86B4
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 4x nop then jmp 07197641h8_2_07197A19
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 4x nop then jmp 07197641h8_2_07197D2F
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 4x nop then jmp 07197641h8_2_07197BF4

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: 204.10.161.140:27667
      Source: unknownDNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.00000000029EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.00000000029EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.00000000029EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
      Source: eFXWrQYLi.exe, 0000000C.00000002.1723875924.00000000029EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldbx equals www.youtube.com (Youtube)
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002E8B000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.00000000029EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
      Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1701020168.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 00000008.00000002.1734513014.0000000002C88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1705644997.0000000005194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com08
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.000000000296D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
      Source: eFXWrQYLi.exe, 0000000C.00000002.1723875924.000000000296D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
      Source: eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002FC7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_3d34fb31-9

      System Summary

      barindex
      .NET source code contains very large array initializations
      Source: 0.2.7jmd8E2KEb.exe.43ab340.3.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
      Source: 0.2.7jmd8E2KEb.exe.3ad9c20.2.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_00D8D5BC0_2_00D8D5BC
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF9E000_2_09BF9E00
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF1B800_2_09BF1B80
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF3CB00_2_09BF3CB0
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF0C180_2_09BF0C18
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF1FB80_2_09BF1FB8
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF1FA80_2_09BF1FA8
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF41B00_2_09BF41B0
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF41C00_2_09BF41C0
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BF17480_2_09BF1748
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 6_2_02C0A4376_2_02C0A437
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_00DFD5BC8_2_00DFD5BC
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_071993408_2_07199340
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_071917488_2_07191748
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_071941B08_2_071941B0
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_071941C08_2_071941C0
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_07191FB88_2_07191FB8
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_07191FA88_2_07191FA8
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_07190D908_2_07190D90
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_07190C188_2_07190C18
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_07193CB08_2_07193CB0
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_07191B808_2_07191B80
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 12_2_00B5A43712_2_00B5A437
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess token adjusted: SecurityJump to behavior
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1707027156.0000000006EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1702795427.00000000039E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpulebane.exe" vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1702795427.00000000039E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1702795427.00000000043AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpulebane.exe" vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1697591697.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exe, 00000000.00000002.1702795427.0000000003B45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpulebane.exe" vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1681776773.000000000042E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpulebane.exe" vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exeBinary or memory string: OriginalFilenameZIe.exe6 vs 7jmd8E2KEb.exe
      Source: 7jmd8E2KEb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 7jmd8E2KEb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: eFXWrQYLi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 0.2.7jmd8E2KEb.exe.43ab340.3.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.7jmd8E2KEb.exe.43ab340.3.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.7jmd8E2KEb.exe.3ad9c20.2.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.2.7jmd8E2KEb.exe.3ad9c20.2.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, deGfpECfZ4TovGyjDw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, DOPmVo33algSiXjpiT.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, DOPmVo33algSiXjpiT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, DOPmVo33algSiXjpiT.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, deGfpECfZ4TovGyjDw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, DOPmVo33algSiXjpiT.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, DOPmVo33algSiXjpiT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, DOPmVo33algSiXjpiT.csSecurity API names: _0020.AddAccessRule
      Source: classification engineClassification label: mal100.troj.evad.winEXE@18/11@1/0
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile created: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMutant created: NULL
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMutant created: \Sessions\1\BaseNamedObjects\CmEsqzXVOUzdZZfmsJT
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7893.tmpJump to behavior
      Source: 7jmd8E2KEb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 7jmd8E2KEb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 7jmd8E2KEb.exeReversingLabs: Detection: 78%
      Source: 7jmd8E2KEb.exeVirustotal: Detection: 58%
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile read: C:\Users\user\Desktop\7jmd8E2KEb.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\7jmd8E2KEb.exe "C:\Users\user\Desktop\7jmd8E2KEb.exe"
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Users\user\Desktop\7jmd8E2KEb.exe "C:\Users\user\Desktop\7jmd8E2KEb.exe"
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Users\user\Desktop\7jmd8E2KEb.exe "C:\Users\user\Desktop\7jmd8E2KEb.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: iconcodecservice.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: iconcodecservice.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: 7jmd8E2KEb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 7jmd8E2KEb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, DOPmVo33algSiXjpiT.cs.Net Code: eN4Xu1Jj0J System.Reflection.Assembly.Load(byte[])
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, DOPmVo33algSiXjpiT.cs.Net Code: eN4Xu1Jj0J System.Reflection.Assembly.Load(byte[])
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeCode function: 0_2_09BFB938 push 400B00CBh; retf 0_2_09BFB93D
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeCode function: 8_2_0719B14A pushfd ; ret 8_2_0719B151
      Source: 7jmd8E2KEb.exeStatic PE information: section name: .text entropy: 7.918371513742522
      Source: eFXWrQYLi.exe.0.drStatic PE information: section name: .text entropy: 7.918371513742522
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, DOPmVo33algSiXjpiT.csHigh entropy of concatenated method names: 'g8TPIuU3PD', 'GFsPvy0LHm', 'cvUP6wQ22X', 'HpsPR9n5sv', 'wCfPE67Tyi', 'ss7Px10jS6', 'zBJP2MPg8Y', 'nv2P3bwUPR', 's6ZPpjs8mY', 'clXP72bkvI'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, x0vhQs50Ms5at0WGxl.csHigh entropy of concatenated method names: 'AfLRZnmDNv', 'NBqRque1dj', 'zyORCysixY', 'bhHR5o4J5b', 'jocRiOXI1w', 'VaQRKipeF6', 'hXQRHqpZC4', 'sReRJPOHh8', 'gdHRDZFjkR', 'YHLRU6xdEd'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, KfND3pbPnSL7RvxBfsy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LFlUSssw1c', 'NERUhdfFqr', 'xxEUVCKFtQ', 'Y49UlurPQp', 'BEZUAioine', 'FwqUeBR1L9', 'nWgU9plqR5'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, aO1UsblnQtwOA3lHkf.csHigh entropy of concatenated method names: 'MAZH7NSxXD', 'PMhHFSy33S', 'ToString', 'cTbHv7Y39b', 'PdLH6PhLoN', 'ty3HRg9UwT', 'basHESl4SY', 'tV6HxBiiqO', 'C28H25Swgi', 'uYUH36X0P5'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, TAL3uCSgMGVPKfcfBR.csHigh entropy of concatenated method names: 'zdZiNRHBaM', 'UaHijXwMf2', 'OFUiSJy9Dp', 'yVnihTVwLA', 'LLZi8y7FLR', 'WfbiQSJrDl', 'XdQiO2QlYT', 'AMLiylBwpA', 'Tw9iTuGNOh', 'Bogiaqygib'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, deGfpECfZ4TovGyjDw.csHigh entropy of concatenated method names: 'Rxy6S0PMGx', 'k036hFrqlc', 'RYV6VSUZjJ', 'Vv66lomCDD', 'mYQ6AAlcjJ', 'AJ36edl6Vl', 'xhp69sLSCw', 'hZC6dSSQwr', 'bAy6LaENmf', 'j716suHWsm'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, t9LUdqnMbfG2VgfOAt.csHigh entropy of concatenated method names: 'SPeua13SP', 'TOVZNl8iw', 'c8tqhUFGj', 'YYrwWbFQi', 'rna5qMwfK', 'cZLrtwCTx', 'uqMI0fq9OV6Asfu7yQ', 'K5CZRpJLOGgAGNOuqY', 'IDhJkFpmV', 'P3OURxtsF'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, M6atR8X83MeA2g6fEP.csHigh entropy of concatenated method names: 'jMPb2eGfpE', 'zZ4b3TovGy', 'Y0Mb7s5at0', 'tGxbFl8jrr', 'cGhbinpcd9', 'p5vbKVAbn5', 'TrF8bIUNDMBsAUr4lD', 'Au4mC7IqADlB2Sp65g', 'aDebbHWLDo', 'M7XbPqKPEC'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, HjrrNFrVIaSscPGhnp.csHigh entropy of concatenated method names: 'S8KEcXAMCO', 'TyREwRfar7', 'I6eRQkq1kY', 'OjsRO9icIp', 'w1HRytTU9Z', 'TQWRTDt81H', 'SQ3RaA4xrO', 'mjXRB4uPZd', 'y0HRgYdyUO', 'QIsRNO3rTF'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, HOhNTbVHICWQE2u4xG.csHigh entropy of concatenated method names: 'ToString', 'z22KM3caLR', 'jVbK8oUm82', 'bqOKQuoXV1', 'USbKOIZBxZ', 'KDlKy2AyUn', 'qBhKT7W8U3', 'aXFKaCJDUd', 'weQKBIkAHY', 'VUpKgajvDm'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, n269Nh6C4Z7XGruTsm.csHigh entropy of concatenated method names: 'Dispose', 'mLxbL3d3oW', 'sGUn8ekNvq', 'MsYGGbmfVo', 'ViXbs4xLbJ', 'tJTbz2veT8', 'ProcessDialogKey', 'TlGn43R4TC', 'u0unbYHflo', 'IuDnn1t5Zx'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, nRG2xmg0BVdGVss3OI.csHigh entropy of concatenated method names: 'OLP2mHFWR7', 'HbC2fThkTt', 'qpF2uiHQmW', 'cvS2Z9kWug', 'Fn62cJlb0e', 'SWK2qGi9f0', 'QEv2wDErWQ', 'gyR2Corosl', 'iGk25ybtnF', 's5u2rHGmHM'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, Bd9K5v0VAbn5P7IycG.csHigh entropy of concatenated method names: 'OlyxIIJnKN', 'umdx6ghabX', 'AyhxExEyc2', 'W2Zx2kPmff', 'tT5x3aLGmM', 'TqKEAC2ZHQ', 'aXsEesKn4r', 'pBLE9JGO55', 'sKWEdr6Z5F', 'YUCELC3VTO'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, v3R4TCLo0uYHfloQuD.csHigh entropy of concatenated method names: 'UpwJ0r0U51', 'X80J8R4RTo', 'uqmJQ22TE1', 'hwTJOZTm3K', 'rb4JSeqZgr', 'p6VJyNCUFD', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, oX4xLbdJWJT2veT8Vl.csHigh entropy of concatenated method names: 'VVxJvAGUke', 'WXmJ66EpIP', 'AAKJRHGt9Y', 'B0AJEIdfZy', 'K3XJxT8JyG', 'MOZJ2hSGHi', 'n6wJ3H4y7x', 'GnpJpVsSRs', 'vQyJ7caYFk', 'RNAJFuT5eJ'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, prMdkItcPoXb2HnUUl.csHigh entropy of concatenated method names: 'd7hYCuwyCh', 'JJmY5QPObT', 'n1YY0l1Mpw', 'JolY8EgiM7', 'JADYOe5ipb', 'xl8Yy6nxqg', 'IiDYa4p24y', 'CPBYB1lrmW', 'd8iYNw3lbX', 'WftYMYsmsV'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, mpyBQJeEEynPfeS9Oj.csHigh entropy of concatenated method names: 'nGZHdHxweC', 'LdOHsOoqNx', 'pvjJ47u37D', 'HCiJbd7QYV', 'xoyHMvD7ae', 'lV0HjkAMo9', 'HLqHtwUIID', 'ufqHSyJn3q', 'FAiHhSvXAZ', 'sJfHVYEs37'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, iS5lD3b467Db9juU8Fd.csHigh entropy of concatenated method names: 'g1XDmu3CRr', 'Lv6DfHR8Xa', 'eInDu8yPn6', 'girDZ3IpTV', 'L2HDcSprXw', 'p6mDqrMuhZ', 'vF3Dwrh1KQ', 'lhBDCtqV54', 'VOQD5lNiY6', 'cGYDrCbLT0'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, DFtDAtaphDFs5HCQhJ.csHigh entropy of concatenated method names: 'nqn2vew8wo', 'owj2R9cjA5', 'nKD2xV1R63', 'XmsxsRmJdH', 'AYfxz84ebW', 'UdO24b1O5r', 'U8E2b7hWQO', 'fPt2nberk9', 'GqM2PJ5kgR', 'SSE2XtoMRH'
      Source: 0.2.7jmd8E2KEb.exe.3a11c00.1.raw.unpack, wt5ZxIswh038G3WbTK.csHigh entropy of concatenated method names: 'nwjDbEOFP6', 'jPSDPU2cCs', 'j6FDX9NASe', 'H0jDvjwgB7', 'MIID6G7wYh', 'aiVDE6Q9GM', 'nkKDxLkMfu', 'XF6J9yplBu', 'xLAJdRJfTt', 'kScJL8Ebes'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, DOPmVo33algSiXjpiT.csHigh entropy of concatenated method names: 'g8TPIuU3PD', 'GFsPvy0LHm', 'cvUP6wQ22X', 'HpsPR9n5sv', 'wCfPE67Tyi', 'ss7Px10jS6', 'zBJP2MPg8Y', 'nv2P3bwUPR', 's6ZPpjs8mY', 'clXP72bkvI'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, x0vhQs50Ms5at0WGxl.csHigh entropy of concatenated method names: 'AfLRZnmDNv', 'NBqRque1dj', 'zyORCysixY', 'bhHR5o4J5b', 'jocRiOXI1w', 'VaQRKipeF6', 'hXQRHqpZC4', 'sReRJPOHh8', 'gdHRDZFjkR', 'YHLRU6xdEd'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, KfND3pbPnSL7RvxBfsy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LFlUSssw1c', 'NERUhdfFqr', 'xxEUVCKFtQ', 'Y49UlurPQp', 'BEZUAioine', 'FwqUeBR1L9', 'nWgU9plqR5'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, aO1UsblnQtwOA3lHkf.csHigh entropy of concatenated method names: 'MAZH7NSxXD', 'PMhHFSy33S', 'ToString', 'cTbHv7Y39b', 'PdLH6PhLoN', 'ty3HRg9UwT', 'basHESl4SY', 'tV6HxBiiqO', 'C28H25Swgi', 'uYUH36X0P5'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, TAL3uCSgMGVPKfcfBR.csHigh entropy of concatenated method names: 'zdZiNRHBaM', 'UaHijXwMf2', 'OFUiSJy9Dp', 'yVnihTVwLA', 'LLZi8y7FLR', 'WfbiQSJrDl', 'XdQiO2QlYT', 'AMLiylBwpA', 'Tw9iTuGNOh', 'Bogiaqygib'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, deGfpECfZ4TovGyjDw.csHigh entropy of concatenated method names: 'Rxy6S0PMGx', 'k036hFrqlc', 'RYV6VSUZjJ', 'Vv66lomCDD', 'mYQ6AAlcjJ', 'AJ36edl6Vl', 'xhp69sLSCw', 'hZC6dSSQwr', 'bAy6LaENmf', 'j716suHWsm'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, t9LUdqnMbfG2VgfOAt.csHigh entropy of concatenated method names: 'SPeua13SP', 'TOVZNl8iw', 'c8tqhUFGj', 'YYrwWbFQi', 'rna5qMwfK', 'cZLrtwCTx', 'uqMI0fq9OV6Asfu7yQ', 'K5CZRpJLOGgAGNOuqY', 'IDhJkFpmV', 'P3OURxtsF'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, M6atR8X83MeA2g6fEP.csHigh entropy of concatenated method names: 'jMPb2eGfpE', 'zZ4b3TovGy', 'Y0Mb7s5at0', 'tGxbFl8jrr', 'cGhbinpcd9', 'p5vbKVAbn5', 'TrF8bIUNDMBsAUr4lD', 'Au4mC7IqADlB2Sp65g', 'aDebbHWLDo', 'M7XbPqKPEC'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, HjrrNFrVIaSscPGhnp.csHigh entropy of concatenated method names: 'S8KEcXAMCO', 'TyREwRfar7', 'I6eRQkq1kY', 'OjsRO9icIp', 'w1HRytTU9Z', 'TQWRTDt81H', 'SQ3RaA4xrO', 'mjXRB4uPZd', 'y0HRgYdyUO', 'QIsRNO3rTF'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, HOhNTbVHICWQE2u4xG.csHigh entropy of concatenated method names: 'ToString', 'z22KM3caLR', 'jVbK8oUm82', 'bqOKQuoXV1', 'USbKOIZBxZ', 'KDlKy2AyUn', 'qBhKT7W8U3', 'aXFKaCJDUd', 'weQKBIkAHY', 'VUpKgajvDm'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, n269Nh6C4Z7XGruTsm.csHigh entropy of concatenated method names: 'Dispose', 'mLxbL3d3oW', 'sGUn8ekNvq', 'MsYGGbmfVo', 'ViXbs4xLbJ', 'tJTbz2veT8', 'ProcessDialogKey', 'TlGn43R4TC', 'u0unbYHflo', 'IuDnn1t5Zx'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, nRG2xmg0BVdGVss3OI.csHigh entropy of concatenated method names: 'OLP2mHFWR7', 'HbC2fThkTt', 'qpF2uiHQmW', 'cvS2Z9kWug', 'Fn62cJlb0e', 'SWK2qGi9f0', 'QEv2wDErWQ', 'gyR2Corosl', 'iGk25ybtnF', 's5u2rHGmHM'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, Bd9K5v0VAbn5P7IycG.csHigh entropy of concatenated method names: 'OlyxIIJnKN', 'umdx6ghabX', 'AyhxExEyc2', 'W2Zx2kPmff', 'tT5x3aLGmM', 'TqKEAC2ZHQ', 'aXsEesKn4r', 'pBLE9JGO55', 'sKWEdr6Z5F', 'YUCELC3VTO'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, v3R4TCLo0uYHfloQuD.csHigh entropy of concatenated method names: 'UpwJ0r0U51', 'X80J8R4RTo', 'uqmJQ22TE1', 'hwTJOZTm3K', 'rb4JSeqZgr', 'p6VJyNCUFD', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, oX4xLbdJWJT2veT8Vl.csHigh entropy of concatenated method names: 'VVxJvAGUke', 'WXmJ66EpIP', 'AAKJRHGt9Y', 'B0AJEIdfZy', 'K3XJxT8JyG', 'MOZJ2hSGHi', 'n6wJ3H4y7x', 'GnpJpVsSRs', 'vQyJ7caYFk', 'RNAJFuT5eJ'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, prMdkItcPoXb2HnUUl.csHigh entropy of concatenated method names: 'd7hYCuwyCh', 'JJmY5QPObT', 'n1YY0l1Mpw', 'JolY8EgiM7', 'JADYOe5ipb', 'xl8Yy6nxqg', 'IiDYa4p24y', 'CPBYB1lrmW', 'd8iYNw3lbX', 'WftYMYsmsV'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, mpyBQJeEEynPfeS9Oj.csHigh entropy of concatenated method names: 'nGZHdHxweC', 'LdOHsOoqNx', 'pvjJ47u37D', 'HCiJbd7QYV', 'xoyHMvD7ae', 'lV0HjkAMo9', 'HLqHtwUIID', 'ufqHSyJn3q', 'FAiHhSvXAZ', 'sJfHVYEs37'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, iS5lD3b467Db9juU8Fd.csHigh entropy of concatenated method names: 'g1XDmu3CRr', 'Lv6DfHR8Xa', 'eInDu8yPn6', 'girDZ3IpTV', 'L2HDcSprXw', 'p6mDqrMuhZ', 'vF3Dwrh1KQ', 'lhBDCtqV54', 'VOQD5lNiY6', 'cGYDrCbLT0'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, DFtDAtaphDFs5HCQhJ.csHigh entropy of concatenated method names: 'nqn2vew8wo', 'owj2R9cjA5', 'nKD2xV1R63', 'XmsxsRmJdH', 'AYfxz84ebW', 'UdO24b1O5r', 'U8E2b7hWQO', 'fPt2nberk9', 'GqM2PJ5kgR', 'SSE2XtoMRH'
      Source: 0.2.7jmd8E2KEb.exe.6eb0000.5.raw.unpack, wt5ZxIswh038G3WbTK.csHigh entropy of concatenated method names: 'nwjDbEOFP6', 'jPSDPU2cCs', 'j6FDX9NASe', 'H0jDvjwgB7', 'MIID6G7wYh', 'aiVDE6Q9GM', 'nkKDxLkMfu', 'XF6J9yplBu', 'xLAJdRJfTt', 'kScJL8Ebes'
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile created: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp"

      Hooking and other Techniques for Hiding and Protection

      barindex
      Icon mismatch, binary includes an icon from a different legit application in order to fool users
      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon2083.png
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: eFXWrQYLi.exe PID: 6916, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\^Q
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,^Q
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: D80000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 4870000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 89F0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 99F0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 9C00000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: AC00000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 87B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 97B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 99A0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: A9A0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 2930000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory allocated: 4930000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7148Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2387Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exe TID: 6984Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6064Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe TID: 4888Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe TID: 6200Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,^q
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\^q
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"Jump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeMemory written: C:\Users\user\Desktop\7jmd8E2KEb.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeMemory written: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeProcess created: C:\Users\user\Desktop\7jmd8E2KEb.exe "C:\Users\user\Desktop\7jmd8E2KEb.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeProcess created: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"Jump to behavior
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002B27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: 7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002FC7000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002B27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Users\user\Desktop\7jmd8E2KEb.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Users\user\Desktop\7jmd8E2KEb.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\eFXWrQYLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7jmd8E2KEb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected RedLine Stealer
      Source: Yara matchFile source: Process Memory Space: 7jmd8E2KEb.exe PID: 4456, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected RedLine Stealer
      Source: Yara matchFile source: Process Memory Space: 7jmd8E2KEb.exe PID: 4456, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		112
      Process Injection      		11
      Masquerading      		11
      Input Capture      		21
      Security Software Discovery      		Remote Services11
      Input Capture      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		1
      Scheduled Task/Job      		11
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive11
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
      Obfuscated Files or Information      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
      Software Packing      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537507 Sample: 7jmd8E2KEb.exe Startdate: 19/10/2024 Architecture: WINDOWS Score: 100 45 171.39.242.20.in-addr.arpa 2->45 47 Found malware configuration 2->47 49 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 9 other signatures 2->53 8 7jmd8E2KEb.exe 7 2->8         started        12 eFXWrQYLi.exe 5 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\eFXWrQYLi.exe, PE32 8->37 dropped 39 C:\Users\...\eFXWrQYLi.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmp7893.tmp, XML 8->41 dropped 43 C:\Users\user\AppData\...\7jmd8E2KEb.exe.log, ASCII 8->43 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 8->55 57 Adds a directory exclusion to Windows Defender 8->57 59 Injects a PE file into a foreign processes 8->59 14 powershell.exe 23 8->14         started        17 7jmd8E2KEb.exe 3 8->17         started        19 schtasks.exe 1 8->19         started        61 Multi AV Scanner detection for dropped file 12->61 63 Machine Learning detection for dropped file 12->63 21 eFXWrQYLi.exe 3 12->21         started        23 schtasks.exe 1 12->23         started        signatures6 process7 signatures8 65 Loading BitLocker PowerShell Module 14->65 25 WmiPrvSE.exe 14->25         started        27 conhost.exe 14->27         started        67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->67 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      7jmd8E2KEb.exe79%ReversingLabsByteCode-MSIL.Spyware.Redline
      7jmd8E2KEb.exe58%VirustotalBrowse
      7jmd8E2KEb.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\eFXWrQYLi.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\eFXWrQYLi.exe79%ReversingLabsByteCode-MSIL.Spyware.Redline

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      171.39.242.20.in-addr.arpa0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.fontbureau.com0%URL Reputationsafe
      http://www.fontbureau.com/designersG0%URL Reputationsafe
      https://api.ip.sb/ip0%URL Reputationsafe
      http://www.fontbureau.com/designers/?0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.fontbureau.com/designers?0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.fontbureau.com/designers0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.fontbureau.com/designers80%URL Reputationsafe
      http://www.fonts.com0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
      https://discord.com/api/v9/users/0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      171.39.242.20.in-addr.arpa
      		unknown
      		unknownfalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      204.10.161.140:27667true
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.07jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        http://www.fontbureau.com7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designersG7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://api.ip.sb/ipeFXWrQYLi.exe, 0000000C.00000002.1723875924.000000000296D000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.sakkal.com087jmd8E2KEb.exe, 00000000.00000002.1705644997.0000000005194000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://www.fontbureau.com/designers/?7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.founder.com.cn/cn/bThe7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.tiro.com7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.ip.s7jmd8E2KEb.exe, 00000006.00000002.1683794797.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 0000000C.00000002.1723875924.000000000296D000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            http://www.fontbureau.com/designers7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.goodfont.co.kr7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.carterandcone.coml7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sajatypeworks.com7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.typography.netD7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/cabarga.htmlN7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/cThe7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htm7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/frere-user.html7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.jiyu-kobo.co.jp/7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://discord.com/api/v9/users/eFXWrQYLi.exe, 0000000C.00000002.1723875924.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
            http://www.galapagosdesign.com/DPlease7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers87jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fonts.com7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sandoll.co.kr7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.urwpp.deDPlease7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.zhongyicts.com.cn7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7jmd8E2KEb.exe, 00000000.00000002.1701020168.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, eFXWrQYLi.exe, 00000008.00000002.1734513014.0000000002C88000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sakkal.com7jmd8E2KEb.exe, 00000000.00000002.1706031973.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1537507
            Start date and time:2024-10-19 03:26:08 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 0s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:7jmd8E2KEb.exe
            renamed because original name is a hash value
            Original Sample Name:B1D049996722004FA0C8A9B61CF813EB.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@18/11@1/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 127
            • Number of non-executed functions: 10
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            02:27:00Task SchedulerRun new task: eFXWrQYLi path: C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
            21:26:58API Interceptor2x Sleep call for process: 7jmd8E2KEb.exe modified
            21:26:59API Interceptor16x Sleep call for process: powershell.exe modified
            21:27:01API Interceptor2x Sleep call for process: eFXWrQYLi.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7jmd8E2KEb.exe.log

            Download File
            Process:C:\Users\user\Desktop\7jmd8E2KEb.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eFXWrQYLi.exe.log

            Download File
            Process:C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.379828835936797
            Encrypted:false
            SSDEEP:48:tWSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMuge//x0Uyus:tLHxvCsIcnSKRHmOugw1s
            MD5:0A8DC36F7EC6BFE2B35B8BE72F005055
            SHA1:7D1D4AED78EEE079FC175C0934867F42BDE72BFB
            SHA-256:81FD5353FD614713231CB9CAC7DF81B548AC37F9F2D455927E203E405D8CEBEC
            SHA-512:3A09CC10891E251D7A59809065E6E6B896940B84A1878130174AF146E83EEE2C6DCDECADDECC9DFA3D0999AB56B0CA7D5F798DE5F4FD9C4DD5D81F4DFDD4E9AB
            Malicious:false
            Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ej1tduf4.xv1.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsyx5cs0.0k5.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkxig1ci.yzj.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdfj0snb.g1u.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\tmp7893.tmp

            Download File
            Process:C:\Users\user\Desktop\7jmd8E2KEb.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1575
            Entropy (8bit):5.117760718716117
            Encrypted:false
            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
            MD5:AABFD02142893FE9D6AB47F442B06A70
            SHA1:B06F3045F4277E9BE13B5B80A133B612D10D4943
            SHA-256:C09BC5563EF77DD8518B2C2BF1BFBF8846CD31092AFC09D830868FF86F273A65
            SHA-512:35898104AA2163DA4315387C784ED3B13526FF60DA72BD3E7201DD6894CEB8A5E10C48FDD915200E9DABA3274E05D9B83083A96160AC44F4F3B97EDBED93B9FC
            Malicious:true
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

            C:\Users\user\AppData\Local\Temp\tmp83DE.tmp

            Download File
            Process:C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1575
            Entropy (8bit):5.117760718716117
            Encrypted:false
            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
            MD5:AABFD02142893FE9D6AB47F442B06A70
            SHA1:B06F3045F4277E9BE13B5B80A133B612D10D4943
            SHA-256:C09BC5563EF77DD8518B2C2BF1BFBF8846CD31092AFC09D830868FF86F273A65
            SHA-512:35898104AA2163DA4315387C784ED3B13526FF60DA72BD3E7201DD6894CEB8A5E10C48FDD915200E9DABA3274E05D9B83083A96160AC44F4F3B97EDBED93B9FC
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

            C:\Users\user\AppData\Roaming\eFXWrQYLi.exe

            Download File
            Process:C:\Users\user\Desktop\7jmd8E2KEb.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1017344
            Entropy (8bit):7.888859094589534
            Encrypted:false
            SSDEEP:24576:E1jJoqDWRxwLj7MBDUocRNJySsaMu/nyTn0a0A4eZ:8jJopRK3ycRDyEz20nA4e
            MD5:B1D049996722004FA0C8A9B61CF813EB
            SHA1:B8FEE28CA9F7E3A43840E71C5372A2474873796B
            SHA-256:E39ED141C0CF3973783231931CE8A16F371563B37EC57F02933E8929A1086D42
            SHA-512:E1C65CD8604F2E093BE99A5B3D1644984FEA627DB1AF764253FEA4FD128362E8BC5B88803022171105C13861C15A53C2E164DF8742213B4C0856184B2705A43A
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 79%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..g..............0..~.............. ........@.. ....................................`.....................................O.......|............................................................................ ............... ..H............text....|... ...~.................. ..`.rsrc...|...........................@..@.reloc..............................@..B.......................H.......8?...9......@....y...#..........................................V.(.......s....o.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..s6...}......}.....(.......(*....*&..(.....*....0..@.........{.....{....o;...(...+o ...

            C:\Users\user\AppData\Roaming\eFXWrQYLi.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\7jmd8E2KEb.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.888859094589534
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:7jmd8E2KEb.exe
            File size:1'017'344 bytes
            MD5:b1d049996722004fa0c8a9b61cf813eb
            SHA1:b8fee28ca9f7e3a43840e71c5372a2474873796b
            SHA256:e39ed141c0cf3973783231931ce8a16f371563b37ec57f02933e8929a1086d42
            SHA512:e1c65cd8604f2e093be99a5b3d1644984fea627db1af764253fea4fd128362e8bc5b88803022171105c13861c15a53c2e164df8742213b4c0856184b2705a43a
            SSDEEP:24576:E1jJoqDWRxwLj7MBDUocRNJySsaMu/nyTn0a0A4eZ:8jJopRK3ycRDyEz20nA4e
            TLSH:9D2512949116ED21E9E507B20432CBB207797FEDB422D35787EEFCE7763631169802A2
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..g..............0..~............... ........@.. ....................................`................................

            File Icon

            Icon Hash:2563ab89a7b7bfbf

            Static PE Info

            General

            Entrypoint:0x4e9cf2
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x6707BE5A [Thu Oct 10 11:45:30 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xe9ca00x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xea0000x1037c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xe7cf80xe7e003980d7070cb85d85ff88386d18a7c747False0.9513603436657682data7.918371513742522IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xea0000x1037c0x104003af97b840df13385a2db765e5879c0c1False0.7968599759615385data7.2889334534063845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xfc0000xc0x200515f663d057a028dda5d2652ef6a222dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xea2980x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.33736559139784944
            RT_ICON0xea5800x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5033783783783784
            RT_ICON0xea6a80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5562366737739872
            RT_ICON0xeb5500x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6890794223826715
            RT_ICON0xebdf80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.4833815028901734
            RT_ICON0xec3600xa1bePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9944210983915375
            RT_ICON0xf65200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3877593360995851
            RT_ICON0xf8ac80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.46318011257035646
            RT_ICON0xf9b700x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5877659574468085
            RT_GROUP_ICON0xf9fd80x84data0.6136363636363636
            RT_GROUP_ICON0xfa05c0x14data1.05
            RT_VERSION0xfa0700x30cdata0.4307692307692308

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 19, 2024 03:27:31.223562002 CEST5350564162.159.36.2192.168.2.4
            Oct 19, 2024 03:27:31.854728937 CEST5083653192.168.2.41.1.1.1
            Oct 19, 2024 03:27:31.862284899 CEST53508361.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Oct 19, 2024 03:27:31.854728937 CEST192.168.2.41.1.1.10x38d1Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Oct 19, 2024 03:27:31.862284899 CEST1.1.1.1192.168.2.40x38d1Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:21:26:57
            Start date:18/10/2024
            Path:C:\Users\user\Desktop\7jmd8E2KEb.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\7jmd8E2KEb.exe"
            Imagebase:0x460000
            File size:1'017'344 bytes
            MD5 hash:B1D049996722004FA0C8A9B61CF813EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:21:26:59
            Start date:18/10/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"
            Imagebase:0x690000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:21:26:59
            Start date:18/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:21:26:59
            Start date:18/10/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp7893.tmp"
            Imagebase:0xb40000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:21:26:59
            Start date:18/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:21:26:59
            Start date:18/10/2024
            Path:C:\Users\user\Desktop\7jmd8E2KEb.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\7jmd8E2KEb.exe"
            Imagebase:0x8c0000
            File size:1'017'344 bytes
            MD5 hash:B1D049996722004FA0C8A9B61CF813EB
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:7
            Start time:21:26:59
            Start date:18/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:21:27:00
            Start date:18/10/2024
            Path:C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
            Imagebase:0x6e0000
            File size:1'017'344 bytes
            MD5 hash:B1D049996722004FA0C8A9B61CF813EB
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 79%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:9
            Start time:21:27:01
            Start date:18/10/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff693ab0000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:21:27:02
            Start date:18/10/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFXWrQYLi" /XML "C:\Users\user\AppData\Local\Temp\tmp83DE.tmp"
            Imagebase:0xb40000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:21:27:02
            Start date:18/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:21:27:03
            Start date:18/10/2024
            Path:C:\Users\user\AppData\Roaming\eFXWrQYLi.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Roaming\eFXWrQYLi.exe"
            Imagebase:0x540000
            File size:1'017'344 bytes
            MD5 hash:B1D049996722004FA0C8A9B61CF813EB
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:13
            Start time:21:27:03
            Start date:18/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:11.5%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:215
              Total number of Limit Nodes:9
              execution_graph 24471 d84668 24472 d8467a 24471->24472 24473 d84686 24472->24473 24477 d84779 24472->24477 24482 d83e34 24473->24482 24475 d846a5 24478 d8479d 24477->24478 24486 d84888 24478->24486 24490 d84879 24478->24490 24483 d83e3f 24482->24483 24498 d85c44 24483->24498 24485 d86fe0 24485->24475 24488 d848af 24486->24488 24487 d8498c 24487->24487 24488->24487 24494 d844b4 24488->24494 24492 d848af 24490->24492 24491 d8498c 24491->24491 24492->24491 24493 d844b4 CreateActCtxA 24492->24493 24493->24491 24495 d85918 CreateActCtxA 24494->24495 24497 d859db 24495->24497 24499 d85c4f 24498->24499 24502 d85c64 24499->24502 24501 d870ed 24501->24485 24503 d85c6f 24502->24503 24506 d85c94 24503->24506 24505 d871c2 24505->24501 24507 d85c9f 24506->24507 24510 d85cc4 24507->24510 24509 d872c5 24509->24505 24511 d85ccf 24510->24511 24513 d885cb 24511->24513 24516 d8ac78 24511->24516 24512 d88609 24512->24509 24513->24512 24520 d8cd77 24513->24520 24525 d8acb0 24516->24525 24528 d8aca0 24516->24528 24517 d8ac8e 24517->24513 24521 d8cd99 24520->24521 24522 d8cdbd 24521->24522 24537 d8cf28 24521->24537 24541 d8cf19 24521->24541 24522->24512 24532 d8ada8 24525->24532 24526 d8acbf 24526->24517 24529 d8acb0 24528->24529 24531 d8ada8 GetModuleHandleW 24529->24531 24530 d8acbf 24530->24517 24531->24530 24533 d8addc 24532->24533 24534 d8adb9 24532->24534 24533->24526 24534->24533 24535 d8afe0 GetModuleHandleW 24534->24535 24536 d8b00d 24535->24536 24536->24526 24538 d8cf35 24537->24538 24540 d8cf6f 24538->24540 24545 d8bae0 24538->24545 24540->24522 24542 d8cf35 24541->24542 24543 d8cf6f 24542->24543 24544 d8bae0 GetModuleHandleW 24542->24544 24543->24522 24544->24543 24546 d8baeb 24545->24546 24548 d8dc88 24546->24548 24549 d8d2dc 24546->24549 24548->24548 24550 d8d2e7 24549->24550 24551 d85cc4 GetModuleHandleW 24550->24551 24552 d8dcf7 24551->24552 24552->24548 24279 9bf4d7d 24283 9bf4d8e 24279->24283 24280 9bf5101 24284 9bf7cf8 24283->24284 24303 9bf7ce8 24283->24303 24285 9bf7d12 24284->24285 24291 9bf7d36 24285->24291 24323 9bf8716 24285->24323 24327 9bf87b9 24285->24327 24334 9bf811c 24285->24334 24339 9bf8b01 24285->24339 24344 9bf8622 24285->24344 24348 9bf8503 24285->24348 24353 9bf8163 24285->24353 24358 9bf8247 24285->24358 24363 9bf8469 24285->24363 24368 9bf858b 24285->24368 24373 9bf826d 24285->24373 24378 9bf82ce 24285->24378 24383 9bf81f1 24285->24383 24388 9bf84b4 24285->24388 24393 9bf8815 24285->24393 24398 9bf8776 24285->24398 24291->24280 24304 9bf7ccd 24303->24304 24322 9bf7cf6 24303->24322 24304->24280 24305 9bf811c 2 API calls 24306 9bf7d36 24305->24306 24306->24280 24307 9bf87b9 4 API calls 24307->24306 24308 9bf8716 2 API calls 24308->24306 24309 9bf8776 2 API calls 24309->24306 24310 9bf8815 2 API calls 24310->24306 24311 9bf84b4 2 API calls 24311->24306 24312 9bf81f1 2 API calls 24312->24306 24313 9bf82ce 2 API calls 24313->24306 24314 9bf826d 2 API calls 24314->24306 24315 9bf858b 2 API calls 24315->24306 24316 9bf8469 2 API calls 24316->24306 24317 9bf8247 2 API calls 24317->24306 24318 9bf8163 2 API calls 24318->24306 24319 9bf8503 2 API calls 24319->24306 24320 9bf8622 2 API calls 24320->24306 24321 9bf8b01 2 API calls 24321->24306 24322->24305 24322->24306 24322->24307 24322->24308 24322->24309 24322->24310 24322->24311 24322->24312 24322->24313 24322->24314 24322->24315 24322->24316 24322->24317 24322->24318 24322->24319 24322->24320 24322->24321 24403 9bf40e8 24323->24403 24407 9bf40e0 24323->24407 24324 9bf8730 24324->24291 24330 9bf40e8 Wow64SetThreadContext 24327->24330 24331 9bf40e0 Wow64SetThreadContext 24327->24331 24328 9bf87d3 24411 9bf3bf8 24328->24411 24415 9bf3c00 24328->24415 24329 9bf8ae2 24330->24328 24331->24328 24335 9bf8122 24334->24335 24336 9bf8228 24335->24336 24419 9bf4937 24335->24419 24423 9bf4940 24335->24423 24336->24291 24340 9bf8253 24339->24340 24340->24339 24341 9bf80dd 24340->24341 24427 9bf45f8 24340->24427 24431 9bf45f0 24340->24431 24341->24291 24435 9bf47a8 24344->24435 24439 9bf47a0 24344->24439 24345 9bf839e 24345->24291 24349 9bf8253 24348->24349 24350 9bf80dd 24349->24350 24351 9bf45f8 VirtualAllocEx 24349->24351 24352 9bf45f0 VirtualAllocEx 24349->24352 24350->24291 24351->24350 24352->24350 24354 9bf816d 24353->24354 24355 9bf8228 24354->24355 24356 9bf4937 CreateProcessA 24354->24356 24357 9bf4940 CreateProcessA 24354->24357 24355->24291 24356->24355 24357->24355 24359 9bf8253 24358->24359 24360 9bf80dd 24359->24360 24361 9bf45f8 VirtualAllocEx 24359->24361 24362 9bf45f0 VirtualAllocEx 24359->24362 24360->24291 24361->24360 24362->24360 24364 9bf848c 24363->24364 24443 9bf46b8 24364->24443 24447 9bf46b1 24364->24447 24365 9bf88d9 24369 9bf8253 24368->24369 24370 9bf80dd 24369->24370 24371 9bf45f8 VirtualAllocEx 24369->24371 24372 9bf45f0 VirtualAllocEx 24369->24372 24370->24291 24371->24370 24372->24370 24374 9bf8492 24373->24374 24376 9bf46b8 WriteProcessMemory 24374->24376 24377 9bf46b1 WriteProcessMemory 24374->24377 24375 9bf8a10 24376->24375 24377->24375 24379 9bf8253 24378->24379 24380 9bf80dd 24379->24380 24381 9bf45f8 VirtualAllocEx 24379->24381 24382 9bf45f0 VirtualAllocEx 24379->24382 24380->24291 24381->24380 24382->24380 24384 9bf81f7 24383->24384 24386 9bf4937 CreateProcessA 24384->24386 24387 9bf4940 CreateProcessA 24384->24387 24385 9bf8228 24385->24291 24386->24385 24387->24385 24389 9bf8435 24388->24389 24389->24388 24390 9bf88a4 24389->24390 24391 9bf46b8 WriteProcessMemory 24389->24391 24392 9bf46b1 WriteProcessMemory 24389->24392 24391->24389 24392->24389 24394 9bf8822 24393->24394 24396 9bf3bf8 ResumeThread 24394->24396 24397 9bf3c00 ResumeThread 24394->24397 24395 9bf8ae2 24396->24395 24397->24395 24399 9bf8715 24398->24399 24400 9bf8730 24398->24400 24401 9bf40e8 Wow64SetThreadContext 24399->24401 24402 9bf40e0 Wow64SetThreadContext 24399->24402 24400->24291 24401->24400 24402->24400 24404 9bf412d Wow64SetThreadContext 24403->24404 24406 9bf4175 24404->24406 24406->24324 24408 9bf40e8 Wow64SetThreadContext 24407->24408 24410 9bf4175 24408->24410 24410->24324 24412 9bf3c00 ResumeThread 24411->24412 24414 9bf3c71 24412->24414 24414->24329 24416 9bf3c40 ResumeThread 24415->24416 24418 9bf3c71 24416->24418 24418->24329 24420 9bf4940 CreateProcessA 24419->24420 24422 9bf4b8b 24420->24422 24424 9bf49c9 CreateProcessA 24423->24424 24426 9bf4b8b 24424->24426 24428 9bf4638 VirtualAllocEx 24427->24428 24430 9bf4675 24428->24430 24430->24341 24432 9bf4666 VirtualAllocEx 24431->24432 24434 9bf45f6 24431->24434 24433 9bf4675 24432->24433 24433->24341 24434->24432 24436 9bf47f3 ReadProcessMemory 24435->24436 24438 9bf4837 24436->24438 24438->24345 24440 9bf47a8 ReadProcessMemory 24439->24440 24442 9bf4837 24440->24442 24442->24345 24444 9bf4700 WriteProcessMemory 24443->24444 24446 9bf4757 24444->24446 24446->24365 24448 9bf46b8 WriteProcessMemory 24447->24448 24450 9bf4757 24448->24450 24450->24365 24456 d8d690 DuplicateHandle 24457 d8d726 24456->24457 24558 d8d040 24559 d8d086 GetCurrentProcess 24558->24559 24561 d8d0d8 GetCurrentThread 24559->24561 24562 d8d0d1 24559->24562 24563 d8d10e 24561->24563 24564 d8d115 GetCurrentProcess 24561->24564 24562->24561 24563->24564 24565 d8d14b 24564->24565 24566 d8d173 GetCurrentThreadId 24565->24566 24567 d8d1a4 24566->24567 24458 9bf4df5 24459 9bf4d5c 24458->24459 24460 9bf5101 24459->24460 24461 9bf7cf8 12 API calls 24459->24461 24462 9bf7ce8 12 API calls 24459->24462 24461->24460 24462->24460 24463 9bf8ef0 24464 9bf8f16 24463->24464 24465 9bf907b 24463->24465 24464->24465 24467 9bf586c 24464->24467 24468 9bf9170 PostMessageW 24467->24468 24470 9bf91dc 24468->24470 24470->24464

              Executed Functions

              Function 09BF9E00 Relevance: .4, Instructions: 401COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0664c13a2ecfa38b81a3b7b9226a9ac71f61ad4d1ee2aa98086da749692a59b8
              • Instruction ID: 457f3a818e95118343b6cb6c1bbd445054dcf95fb0d3ea43fa43b73c5e58acc2
              • Opcode Fuzzy Hash: 0664c13a2ecfa38b81a3b7b9226a9ac71f61ad4d1ee2aa98086da749692a59b8
              • Instruction Fuzzy Hash: 5DE1D1307006048FEB19EF79C460BAE77F6EF89710F1444AEE2099B291DB35E905CB61
              Function 09BF87EF Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e651069eab8bee7c9f8db3adc0a5562e5558dc7d703481b46e9c7844343306f7
              • Instruction ID: dbdac2dd26f79bf3bc007ac5aeb17721e71bd603f28e5ccd4b72b0a21d722ac1
              • Opcode Fuzzy Hash: e651069eab8bee7c9f8db3adc0a5562e5558dc7d703481b46e9c7844343306f7
              • Instruction Fuzzy Hash: 17E0B674949118CFDB24CF50E42A6F8BBB8BB0B3A1F0060D9E60BA6251CB305A89CE14
              Function 09BF84D9 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9645951365d7e0c122ce6e94a6b7a353cdee0b4e09e23f49fe022ba05e749f8a
              • Instruction ID: 57fc9d5bce76ae481cec6dd1522d7893932cc31b1354d60ffeb75f7464c77ddb
              • Opcode Fuzzy Hash: 9645951365d7e0c122ce6e94a6b7a353cdee0b4e09e23f49fe022ba05e749f8a
              • Instruction Fuzzy Hash: 7BD067B4958108CFC714DF54E45A9F8BBB8AB0F361F006099E50BAB251DB309945CE54
              Function 09BF86B4 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a56b6c2982af2608565cbfb293d8aacbbb39dcf2b30eebac2013dd4fe41db01
              • Instruction ID: 8ab777d1ccb7df5a3e29238fce01b6b91ae1fa8424113fb7a0bb43b818e181b8
              • Opcode Fuzzy Hash: 8a56b6c2982af2608565cbfb293d8aacbbb39dcf2b30eebac2013dd4fe41db01
              • Instruction Fuzzy Hash: 12C08C89D0E6898FD20146201CF05F0AB782B071A0B8A22D2CE86260C3A508811D4208
              Function 00D8D031 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 294 d8d031-d8d0cf GetCurrentProcess 299 d8d0d8-d8d10c GetCurrentThread 294->299 300 d8d0d1-d8d0d7 294->300 301 d8d10e-d8d114 299->301 302 d8d115-d8d149 GetCurrentProcess 299->302 300->299 301->302 303 d8d14b-d8d151 302->303 304 d8d152-d8d16d call d8d618 302->304 303->304 308 d8d173-d8d1a2 GetCurrentThreadId 304->308 309 d8d1ab-d8d20d 308->309 310 d8d1a4-d8d1aa 308->310 310->309
              APIs
              • GetCurrentProcess.KERNEL32 ref: 00D8D0BE
              • GetCurrentThread.KERNEL32 ref: 00D8D0FB
              • GetCurrentProcess.KERNEL32 ref: 00D8D138
              • GetCurrentThreadId.KERNEL32 ref: 00D8D191
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: f2d7b8b71fc0daf04d9cfbde2a5a2e192a6ad41e2489b26a43e2e2390f6df878
              • Instruction ID: d6967b6b19fb818829e9fdab66903ba9dcbaaee548c388ab6da5c99fff40f500
              • Opcode Fuzzy Hash: f2d7b8b71fc0daf04d9cfbde2a5a2e192a6ad41e2489b26a43e2e2390f6df878
              • Instruction Fuzzy Hash: 8F5178B0D003498FDB14DFA9D948BAEBBF2EF88314F208459E409A73A1D7745985CF65
              Function 00D8D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 317 d8d040-d8d0cf GetCurrentProcess 321 d8d0d8-d8d10c GetCurrentThread 317->321 322 d8d0d1-d8d0d7 317->322 323 d8d10e-d8d114 321->323 324 d8d115-d8d149 GetCurrentProcess 321->324 322->321 323->324 325 d8d14b-d8d151 324->325 326 d8d152-d8d16d call d8d618 324->326 325->326 330 d8d173-d8d1a2 GetCurrentThreadId 326->330 331 d8d1ab-d8d20d 330->331 332 d8d1a4-d8d1aa 330->332 332->331
              APIs
              • GetCurrentProcess.KERNEL32 ref: 00D8D0BE
              • GetCurrentThread.KERNEL32 ref: 00D8D0FB
              • GetCurrentProcess.KERNEL32 ref: 00D8D138
              • GetCurrentThreadId.KERNEL32 ref: 00D8D191
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 01abe235b3d06727e240d82cc990a3e1ebcd15de0f741bd7c5567054cc498673
              • Instruction ID: 8481a5b6f783f6efcf967facab792770a709b4ffd252aa8cd62e08ce50821fc7
              • Opcode Fuzzy Hash: 01abe235b3d06727e240d82cc990a3e1ebcd15de0f741bd7c5567054cc498673
              • Instruction Fuzzy Hash: 295157B0D003498FDB14DFA9D948B9EBBF2EF88314F248459E409A73A0D7B45985CB65
              Function 09BF4937 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 456 9bf4937-9bf49d5 459 9bf4a0e-9bf4a2e 456->459 460 9bf49d7-9bf49e1 456->460 467 9bf4a67-9bf4a96 459->467 468 9bf4a30-9bf4a3a 459->468 460->459 461 9bf49e3-9bf49e5 460->461 462 9bf4a08-9bf4a0b 461->462 463 9bf49e7-9bf49f1 461->463 462->459 465 9bf49f5-9bf4a04 463->465 466 9bf49f3 463->466 465->465 469 9bf4a06 465->469 466->465 474 9bf4acf-9bf4b89 CreateProcessA 467->474 475 9bf4a98-9bf4aa2 467->475 468->467 470 9bf4a3c-9bf4a3e 468->470 469->462 472 9bf4a61-9bf4a64 470->472 473 9bf4a40-9bf4a4a 470->473 472->467 476 9bf4a4e-9bf4a5d 473->476 477 9bf4a4c 473->477 488 9bf4b8b-9bf4b91 474->488 489 9bf4b92-9bf4c18 474->489 475->474 479 9bf4aa4-9bf4aa6 475->479 476->476 478 9bf4a5f 476->478 477->476 478->472 480 9bf4ac9-9bf4acc 479->480 481 9bf4aa8-9bf4ab2 479->481 480->474 483 9bf4ab6-9bf4ac5 481->483 484 9bf4ab4 481->484 483->483 486 9bf4ac7 483->486 484->483 486->480 488->489 499 9bf4c1a-9bf4c1e 489->499 500 9bf4c28-9bf4c2c 489->500 499->500 501 9bf4c20 499->501 502 9bf4c2e-9bf4c32 500->502 503 9bf4c3c-9bf4c40 500->503 501->500 502->503 504 9bf4c34 502->504 505 9bf4c42-9bf4c46 503->505 506 9bf4c50-9bf4c54 503->506 504->503 505->506 509 9bf4c48 505->509 507 9bf4c66-9bf4c6d 506->507 508 9bf4c56-9bf4c5c 506->508 510 9bf4c6f-9bf4c7e 507->510 511 9bf4c84 507->511 508->507 509->506 510->511 513 9bf4c85 511->513 513->513
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09BF4B76
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 73d0fa998eb060ece9fb44a99c11c8bafcc6d8427da0db9a74946946a106d22f
              • Instruction ID: 47f767134de996c43262013ef3a3282dce972d39b5ebcc0f49b5791b0026d5bd
              • Opcode Fuzzy Hash: 73d0fa998eb060ece9fb44a99c11c8bafcc6d8427da0db9a74946946a106d22f
              • Instruction Fuzzy Hash: C3A15C71D002198FDB24DF68CC957EEBBB2FF48320F1485A9E909A7250DB749985CF92
              Function 09BF4940 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 514 9bf4940-9bf49d5 516 9bf4a0e-9bf4a2e 514->516 517 9bf49d7-9bf49e1 514->517 524 9bf4a67-9bf4a96 516->524 525 9bf4a30-9bf4a3a 516->525 517->516 518 9bf49e3-9bf49e5 517->518 519 9bf4a08-9bf4a0b 518->519 520 9bf49e7-9bf49f1 518->520 519->516 522 9bf49f5-9bf4a04 520->522 523 9bf49f3 520->523 522->522 526 9bf4a06 522->526 523->522 531 9bf4acf-9bf4b89 CreateProcessA 524->531 532 9bf4a98-9bf4aa2 524->532 525->524 527 9bf4a3c-9bf4a3e 525->527 526->519 529 9bf4a61-9bf4a64 527->529 530 9bf4a40-9bf4a4a 527->530 529->524 533 9bf4a4e-9bf4a5d 530->533 534 9bf4a4c 530->534 545 9bf4b8b-9bf4b91 531->545 546 9bf4b92-9bf4c18 531->546 532->531 536 9bf4aa4-9bf4aa6 532->536 533->533 535 9bf4a5f 533->535 534->533 535->529 537 9bf4ac9-9bf4acc 536->537 538 9bf4aa8-9bf4ab2 536->538 537->531 540 9bf4ab6-9bf4ac5 538->540 541 9bf4ab4 538->541 540->540 543 9bf4ac7 540->543 541->540 543->537 545->546 556 9bf4c1a-9bf4c1e 546->556 557 9bf4c28-9bf4c2c 546->557 556->557 558 9bf4c20 556->558 559 9bf4c2e-9bf4c32 557->559 560 9bf4c3c-9bf4c40 557->560 558->557 559->560 561 9bf4c34 559->561 562 9bf4c42-9bf4c46 560->562 563 9bf4c50-9bf4c54 560->563 561->560 562->563 566 9bf4c48 562->566 564 9bf4c66-9bf4c6d 563->564 565 9bf4c56-9bf4c5c 563->565 567 9bf4c6f-9bf4c7e 564->567 568 9bf4c84 564->568 565->564 566->563 567->568 570 9bf4c85 568->570 570->570
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09BF4B76
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 68f34f034db5caddc7b8c6bbefce57b13a381f9c1003093824961039538741e5
              • Instruction ID: 1ee1d8e10a835484a189e09c2d413d4d5e070195213de00b6c95417ad368789a
              • Opcode Fuzzy Hash: 68f34f034db5caddc7b8c6bbefce57b13a381f9c1003093824961039538741e5
              • Instruction Fuzzy Hash: 2B916D71D002198FDF20DF68C8957EEBBB2FF48310F1485A9E909A7250DB749985CF92
              Function 00D8ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 571 d8ada8-d8adb7 572 d8adb9-d8adc6 call d8a0cc 571->572 573 d8ade3-d8ade7 571->573 578 d8adc8 572->578 579 d8addc 572->579 575 d8ade9-d8adf3 573->575 576 d8adfb-d8ae3c 573->576 575->576 582 d8ae49-d8ae57 576->582 583 d8ae3e-d8ae46 576->583 626 d8adce call d8b040 578->626 627 d8adce call d8b030 578->627 579->573 584 d8ae59-d8ae5e 582->584 585 d8ae7b-d8ae7d 582->585 583->582 587 d8ae69 584->587 588 d8ae60-d8ae67 call d8a0d8 584->588 590 d8ae80-d8ae87 585->590 586 d8add4-d8add6 586->579 589 d8af18-d8afd8 586->589 592 d8ae6b-d8ae79 587->592 588->592 621 d8afda-d8afdd 589->621 622 d8afe0-d8b00b GetModuleHandleW 589->622 593 d8ae89-d8ae91 590->593 594 d8ae94-d8ae9b 590->594 592->590 593->594 596 d8aea8-d8aeaa call d8a0e8 594->596 597 d8ae9d-d8aea5 594->597 601 d8aeaf-d8aeb1 596->601 597->596 602 d8aebe-d8aec3 601->602 603 d8aeb3-d8aebb 601->603 604 d8aee1-d8aeee 602->604 605 d8aec5-d8aecc 602->605 603->602 612 d8aef0-d8af0e 604->612 613 d8af11-d8af17 604->613 605->604 607 d8aece-d8aede call d8a0f8 call d8a108 605->607 607->604 612->613 621->622 623 d8b00d-d8b013 622->623 624 d8b014-d8b028 622->624 623->624 626->586 627->586
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00D8AFFE
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 93d38226602dc3662ef7cbac0c9997c79062c709af7112638add448e2a19dd83
              • Instruction ID: 2a35d849a172436ad29085231115484ed3f6492bba7948860e91f078c80fa739
              • Opcode Fuzzy Hash: 93d38226602dc3662ef7cbac0c9997c79062c709af7112638add448e2a19dd83
              • Instruction Fuzzy Hash: 31715670A00B058FE725EF29D44575ABBF1FF88300F14892EE48AD7A50D735E949CBA1
              Function 00D8590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 736 d8590c-d859d9 CreateActCtxA 738 d859db-d859e1 736->738 739 d859e2-d85a3c 736->739 738->739 746 d85a4b-d85a4f 739->746 747 d85a3e-d85a41 739->747 748 d85a60 746->748 749 d85a51-d85a5d 746->749 747->746 751 d85a61 748->751 749->748 751->751
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00D859C9
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: d7746aec612c4db63c60932a6bc7072e542d0fcfa0604d280525acb86973a1a1
              • Instruction ID: 9704b3f64ffe8fd1088beda64a9a09e7c7f398fb5a69b79d83f9f3720c740c31
              • Opcode Fuzzy Hash: d7746aec612c4db63c60932a6bc7072e542d0fcfa0604d280525acb86973a1a1
              • Instruction Fuzzy Hash: FA410FB0C00619CFCB24DFA9C884ACDBBB5BF48304F20816AD408AB255DBB5694ACF61
              Function 00D844B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 752 d844b4-d859d9 CreateActCtxA 755 d859db-d859e1 752->755 756 d859e2-d85a3c 752->756 755->756 763 d85a4b-d85a4f 756->763 764 d85a3e-d85a41 756->764 765 d85a60 763->765 766 d85a51-d85a5d 763->766 764->763 768 d85a61 765->768 766->765 768->768
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00D859C9
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 0cc96f81f1916035a408eb70008095bb95d35317c777546ab74abfb6c388f085
              • Instruction ID: 46373ab6c7cd10aaa58603910b36b20f58ecbfc86bdcbc84dd0853e32a021aa6
              • Opcode Fuzzy Hash: 0cc96f81f1916035a408eb70008095bb95d35317c777546ab74abfb6c388f085
              • Instruction Fuzzy Hash: 3941D1B0D0061DCBDB24DFA9C884BDDBBB5BF48304F20816AD408AB255DB756945CFA1
              Function 09BF46B1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 769 9bf46b1-9bf4706 772 9bf4708-9bf4714 769->772 773 9bf4716-9bf4755 WriteProcessMemory 769->773 772->773 775 9bf475e-9bf478e 773->775 776 9bf4757-9bf475d 773->776 776->775
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09BF4748
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 51c22725e2b1cef83f6fa1d303b3869b188265359a1d3e402828da6e6dba1348
              • Instruction ID: b9323ef1ad551cd8a5c38ebc9af0db8e7b4493a02e95f51719080fb1def4758b
              • Opcode Fuzzy Hash: 51c22725e2b1cef83f6fa1d303b3869b188265359a1d3e402828da6e6dba1348
              • Instruction Fuzzy Hash: DF2137B69003499FCB10CFA9C885BDEBBF5FF89320F10842AE919A7250D7749955CBA1
              Function 09BF46B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 780 9bf46b8-9bf4706 782 9bf4708-9bf4714 780->782 783 9bf4716-9bf4755 WriteProcessMemory 780->783 782->783 785 9bf475e-9bf478e 783->785 786 9bf4757-9bf475d 783->786 786->785
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09BF4748
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 3d68cc0176a97c69d518a73c03431a6a6627d224928a29f366640a1e10ea02d6
              • Instruction ID: 0940a39e58070b3e695bd4872a347f892f51942254e773665620478cae31aa64
              • Opcode Fuzzy Hash: 3d68cc0176a97c69d518a73c03431a6a6627d224928a29f366640a1e10ea02d6
              • Instruction Fuzzy Hash: E72139B5D003499FCB10CFA9C885BEEBBF5FF88320F108429E919A7250C7789955CBA1
              Function 09BF47A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 790 9bf47a0-9bf4835 ReadProcessMemory 794 9bf483e-9bf486e 790->794 795 9bf4837-9bf483d 790->795 795->794
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09BF4828
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 3cf863ba57ab32d0ffa0250c019ae66efe8e1ffc931138bcdbc75df43d0e39d2
              • Instruction ID: db3a317a86a45bdc5d69961c3789d832071c15a4170166bfbf6678a4b6ceb671
              • Opcode Fuzzy Hash: 3cf863ba57ab32d0ffa0250c019ae66efe8e1ffc931138bcdbc75df43d0e39d2
              • Instruction Fuzzy Hash: 9E2139B2C003499FCB10DFA9D885AEEBBF5FF48320F10842AE519A7240C7349555CBA1
              Function 09BF40E0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 799 9bf40e0-9bf4133 802 9bf4135-9bf4141 799->802 803 9bf4143-9bf4173 Wow64SetThreadContext 799->803 802->803 805 9bf417c-9bf41ac 803->805 806 9bf4175-9bf417b 803->806 806->805
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09BF4166
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 1fc624e7aaf632dfa4071f4b5395f5064e331a2b4d27f3fcfd1229b37a56bfeb
              • Instruction ID: 43620b83a1850daefd4cb0a034030e3a1c09dd356a7ceb05128620c565e1d0f2
              • Opcode Fuzzy Hash: 1fc624e7aaf632dfa4071f4b5395f5064e331a2b4d27f3fcfd1229b37a56bfeb
              • Instruction Fuzzy Hash: D52148B1D043098FCB10DFAAC4857AEBFF4EB89320F108429D559A7240C7789645CFA1
              Function 00D8D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8D717
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 701873fb66b750879bf93065d1c971e3baf623784dddc29c8ed91dfb1577ec18
              • Instruction ID: 5db8db4f7f0ca8555d9b55972507648207e63381c7b7f0f2ff06aa2d49f63e57
              • Opcode Fuzzy Hash: 701873fb66b750879bf93065d1c971e3baf623784dddc29c8ed91dfb1577ec18
              • Instruction Fuzzy Hash: 4421E5B5D002499FDB10CF9AD984AEEBBF9FB48314F14841AE915A3350D374A954CF61
              Function 09BF40E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09BF4166
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: a17f91bef0eafdb764110717a34b7c06c8cb76169c8e6a5e6e85352e4a0a97b9
              • Instruction ID: 6739fd0ca8676500d038a27dfdd83f4ffa1b4d467bdef97fcc8d746c0199e81c
              • Opcode Fuzzy Hash: a17f91bef0eafdb764110717a34b7c06c8cb76169c8e6a5e6e85352e4a0a97b9
              • Instruction Fuzzy Hash: D32137B1D002098FDB10DFAAC4857AEBFF5EB89324F108429D519A7240C778AA45CFA1
              Function 09BF47A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09BF4828
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 2c938ce2d20b664591b00d5380a7e2fe143a39ba5f902ed2b50e4f6ad97f0863
              • Instruction ID: abe18372aa1d8600bdc5642fa1dc82b606917c9127abcc2810d13d46829237b3
              • Opcode Fuzzy Hash: 2c938ce2d20b664591b00d5380a7e2fe143a39ba5f902ed2b50e4f6ad97f0863
              • Instruction Fuzzy Hash: 5E2139B1C003499FCB10DFAAC885AEEFBF5FF88320F108429E519A7250C7749555DBA1
              Function 00D8D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8D717
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: af2664c5362e17a3d366d36b1d3b22f762625cc6feaf57dbf16b5cacd6c4db73
              • Instruction ID: 7ad712086c5ff4169810215b206952510d0365c450108b62684f2b0690a83173
              • Opcode Fuzzy Hash: af2664c5362e17a3d366d36b1d3b22f762625cc6feaf57dbf16b5cacd6c4db73
              • Instruction Fuzzy Hash: 2821C2B5D002499FDB10CFAAD984ADEBBF9FB48310F14841AE919A3350D374A954CFA5
              Function 09BF45F0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09BF4666
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 404c1a99f5d71222822fae59ad4966c019676585372525fd049e65e614f13955
              • Instruction ID: 01b8c4712f0bf89d03424214dc86f66ae2237244ce84f97c374cf762798ac689
              • Opcode Fuzzy Hash: 404c1a99f5d71222822fae59ad4966c019676585372525fd049e65e614f13955
              • Instruction Fuzzy Hash: 1C215972C002499FCB10DFA9C848ADFBFF5EF89324F148459E519A7250C775A554CFA1
              Function 09BF3BF8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 5431938a5b592a29923f4111a2bfd9da66fa6929c9a3d7d5eb4759a770b11fd3
              • Instruction ID: 45543bb9d42bb3b76bd1e87ded50aa15466fcc92f8c0fda1cb311d42720a6a69
              • Opcode Fuzzy Hash: 5431938a5b592a29923f4111a2bfd9da66fa6929c9a3d7d5eb4759a770b11fd3
              • Instruction Fuzzy Hash: BE1134B1D003498FCB20DFAAC4857AEFFF4EB89324F20842AD519A7240C778A545CFA1
              Function 09BF45F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09BF4666
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: ad0df15f02f8bcdf62e32cbd1efd30b862edfbacb7db9608da6e4da61029ecac
              • Instruction ID: 551e4d29b7d3ba153f7c3ccca1918650448c4aa5d59092150e8080109f04253d
              • Opcode Fuzzy Hash: ad0df15f02f8bcdf62e32cbd1efd30b862edfbacb7db9608da6e4da61029ecac
              • Instruction Fuzzy Hash: 181137B2D002499FCB10DFAAC845ADFBFF5EF88320F108419E519A7250C775A554CFA1
              Function 09BF3C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 6cd686c2ac96c2d267ee5d76436ee11ea45bd0f1ed99dda44ed229c5a5872684
              • Instruction ID: abdad92d7ca527a40ea605712c5d5f4088ac6eaa6c248fadbb546aeefc394213
              • Opcode Fuzzy Hash: 6cd686c2ac96c2d267ee5d76436ee11ea45bd0f1ed99dda44ed229c5a5872684
              • Instruction Fuzzy Hash: 101125B1D003498FCB20DFAAC4457AEFFF4EB88324F208419D519A7240CB75A944CBA5
              Function 00D8AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00D8AFFE
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: b78922118432631cfb3e2d6c91b70541bda0ab9d37b264894826871c85ce32d8
              • Instruction ID: 31f3bd0be0b521279cd22d4543e334606f85435c679a785bfdf12b067153ed8c
              • Opcode Fuzzy Hash: b78922118432631cfb3e2d6c91b70541bda0ab9d37b264894826871c85ce32d8
              • Instruction Fuzzy Hash: 5611E0B6C002498FDB14DF9AD444ADEFBF4EF88324F14842AD529A7210D379A545CFA1
              Function 09BF586C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 09BF91CD
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: d36f37c351dc59e6be57ed4b74dda6366cc7b8b812c60677737b9afdeec79194
              • Instruction ID: 4fd8a3dcaf8ce83633c9a9a053096d02bc2a79b9a6d2cc0c4be2067748a6a33a
              • Opcode Fuzzy Hash: d36f37c351dc59e6be57ed4b74dda6366cc7b8b812c60677737b9afdeec79194
              • Instruction Fuzzy Hash: E211D3B58003499FDB10DF9AD889BDEBFF8EB48320F108469E519A7240C375AA44CFA5
              Function 09BF916B Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 09BF91CD
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: bf2efb36704d02a99bb1ab23ce48c69e4f18b111696034d2947af1c12369b607
              • Instruction ID: b11474548fd663432fa560686f675d5ddc0c263a8b169c946e07059e46f839c0
              • Opcode Fuzzy Hash: bf2efb36704d02a99bb1ab23ce48c69e4f18b111696034d2947af1c12369b607
              • Instruction Fuzzy Hash: D911D3B58003499FDB10DF9AD889BDEBFF8FB48320F10845AE519A7640C375A684CFA1
              Function 00D2D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1699178442.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d2d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c44e175557fd8e9a1db0fc19d009d3bd547db8ebba80bf15f72c3a42f44870c7
              • Instruction ID: b61064125b5b956f82dbf137ffcd2a2d44fb3f327899a47b1dcaa67668861139
              • Opcode Fuzzy Hash: c44e175557fd8e9a1db0fc19d009d3bd547db8ebba80bf15f72c3a42f44870c7
              • Instruction Fuzzy Hash: 3B21F5B1504240DFDB05DF14E9C0B26BFA6FBA831CF34C569E9490B256C376D856CAB1
              Function 00D3D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1699434206.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a43c67c991c7ab55573489c284b8b06f5f8c8341442404e811d006ce5cddac6e
              • Instruction ID: b0fc0210feddf9850b6eb0891e7a764878b3cabb56e39eee73884b85c3992ea2
              • Opcode Fuzzy Hash: a43c67c991c7ab55573489c284b8b06f5f8c8341442404e811d006ce5cddac6e
              • Instruction Fuzzy Hash: 592126B9504200EFDB05DF14E9C0B26BBA6FB84314F38C56DE8494B296C736D81ACE75
              Function 00D3D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1699434206.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d70b4b94d7f2711030199674130d7b0b958e47b11291cfaa89395532f8f5f701
              • Instruction ID: 9314391d9d253582351ede05927e1ea59f519383080e6a6b5e8135339c29208c
              • Opcode Fuzzy Hash: d70b4b94d7f2711030199674130d7b0b958e47b11291cfaa89395532f8f5f701
              • Instruction Fuzzy Hash: B721D3B1504240DFDB18DF14E5C4B16BB66EB84714F24C569E84A4B296C336D807CA71
              Function 00D3D005 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1699434206.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc24798fc9ef2486bdf0ca4be9acfc0f92fdd75a410860393f0b516451dc3fa7
              • Instruction ID: d0bd7a6070489b336b1ccc80f603885dc3cadca6d6b8be3dab26ce33da51f2ac
              • Opcode Fuzzy Hash: fc24798fc9ef2486bdf0ca4be9acfc0f92fdd75a410860393f0b516451dc3fa7
              • Instruction Fuzzy Hash: 532192755093C08FCB06CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
              Function 00D2D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1699178442.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d2d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction ID: 6f26546381805f4380b13824a78c193c942407de3652496d70b3c8afbda45445
              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction Fuzzy Hash: BB11E676504280CFDB16CF14E5C4B16BF72FBA4318F38C6A9D8494B656C336D85ACBA1
              Function 00D3D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1699434206.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction ID: 3ee1b7701140a61e79bccff00e83c4bd889852b49fd0dd3ae81f872f8726c143
              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction Fuzzy Hash: 5C118B79904280DFDB16CF14E5C4B16BBA2FB84314F28C6A9D8494B696C33AD85ACF61

              Non-executed Functions

              Function 09BF1B80 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b67123c438d48745d7ba5897ded0f4bcab67ce03cf8924e903ba009e1885e38f
              • Instruction ID: 24900695acd9a71c1e8bb518e213fb0dde7a8444b59f5837730cf5c355ee900e
              • Opcode Fuzzy Hash: b67123c438d48745d7ba5897ded0f4bcab67ce03cf8924e903ba009e1885e38f
              • Instruction Fuzzy Hash: 26E13674E04219CFDB14DFA8C5909AEFBB2FF88314F2485A9E518AB316C731A945CF61
              Function 09BF3CB0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a9a975b39c43367b5328b08ba7efb9501b89a3c219846aa5948d06fc58aea54
              • Instruction ID: 00ffae3c8eccdb84c9a81386c4116677a2880113be81f981a3ceae576b9c1f05
              • Opcode Fuzzy Hash: 9a9a975b39c43367b5328b08ba7efb9501b89a3c219846aa5948d06fc58aea54
              • Instruction Fuzzy Hash: E2E12774E002198FDB14DFA8C9949AEFBF2FF88314F2481A9E518AB355C731A945CF61
              Function 09BF1FB8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eec16c3eab27cb2e0711820c7a168af17dd565fa75f0a0d7dfe7a5350f91ff7
              • Instruction ID: 8620264c3cfbb528fccb5fa7a20a8ddcadcda4055e6243f5d7d6772fc4dd8984
              • Opcode Fuzzy Hash: 7eec16c3eab27cb2e0711820c7a168af17dd565fa75f0a0d7dfe7a5350f91ff7
              • Instruction Fuzzy Hash: A7E12974E002198FDB14DFA8C5909AEFBB2FF89314F24C1A9E918AB315C731A945CF61
              Function 09BF41C0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51e090abeaaf93d3f5327d4095248d0ae40e8d4757e7746ce0550158cf720fd9
              • Instruction ID: 6a9c06843cedd9ba0e3957a9dfa7f9064e0f6d85d90f76afc6c2e50d46ca5c1b
              • Opcode Fuzzy Hash: 51e090abeaaf93d3f5327d4095248d0ae40e8d4757e7746ce0550158cf720fd9
              • Instruction Fuzzy Hash: 3CE14874E002198FDB14DFA8C5949AEFBB2FF88314F24C1A9E518AB356C731A945CF61
              Function 09BF1748 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f65a62b116afa85ccd41805fd3b1eb892145602f7b4ae3b028723013a53b65c6
              • Instruction ID: b3a58d7ee93207028f3966f2d51374b0ac101ed0e07d65b32452cbd1e9ba2bad
              • Opcode Fuzzy Hash: f65a62b116afa85ccd41805fd3b1eb892145602f7b4ae3b028723013a53b65c6
              • Instruction Fuzzy Hash: BBE11774E04219CFCB14DFA9C5909AEFBB2FF88314F2481A9E518AB315D731A941CFA1
              Function 00D8D5BC Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1700078200.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d80000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c7e264db65612285996ce5a58a4cd9945cbc351b21391d4e33ab79cf5d03e3f
              • Instruction ID: d83bf14990a34a58de5d73465dd528a7ffce813df348dd1c7d995897cfaf01f7
              • Opcode Fuzzy Hash: 7c7e264db65612285996ce5a58a4cd9945cbc351b21391d4e33ab79cf5d03e3f
              • Instruction Fuzzy Hash: 63A14C36E00315CFCF05EFA5C8845AEB7B2FF85300B25457AE805AB265DB31E956CB60
              Function 09BF0C18 Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec58eaafa07d6e3fd7e23434dd7173ddf84ca4962fed278814a3832f08d68750
              • Instruction ID: d9cf59e213cfa86ececf0fd35f802b21bbb27ca38e0796476b3b12d4932023d1
              • Opcode Fuzzy Hash: ec58eaafa07d6e3fd7e23434dd7173ddf84ca4962fed278814a3832f08d68750
              • Instruction Fuzzy Hash: D1515878D09208DBCB04DFAAD9545FDFBFAAF89360F04D0A6E919A7222D7305909CF50
              Function 09BF41B0 Relevance: .1, Instructions: 136COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 613b3906b8b6aba9c4260cf50a57ed999e4f5beacc49b9d46f9fe9b60917a910
              • Instruction ID: eab553998ec4b9a6ba340e51327de7509b0bedb957b1edc621eba783a4214609
              • Opcode Fuzzy Hash: 613b3906b8b6aba9c4260cf50a57ed999e4f5beacc49b9d46f9fe9b60917a910
              • Instruction Fuzzy Hash: D5512A70E002198FDB14DFA9C9845AEFBF2AF89310F24C1AAD418AB356D7319A45CF61
              Function 09BF1FA8 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1708768020.0000000009BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09BF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bf0000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12fd0ad2732f84d827ba2d8ab3b5063b64e0741e39ea5b07afd55eb02b737bc5
              • Instruction ID: 25f73da44195debf600cecc47851805f3264062ca95a7ab6a7bf12f872f70ff0
              • Opcode Fuzzy Hash: 12fd0ad2732f84d827ba2d8ab3b5063b64e0741e39ea5b07afd55eb02b737bc5
              • Instruction Fuzzy Hash: 2A513A71E002198FDB14DFA9C9805AEFBF2BF89300F24C1AAD518A7315C731AA46CF61

              Execution Graph

              Execution Coverage:15.2%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:29
              Total number of Limit Nodes:0
              execution_graph 14629 2c04810 14630 2c0482c 14629->14630 14635 2c04890 14630->14635 14631 2c04838 14632 2c0485d 14631->14632 14640 2c0b3c8 14631->14640 14636 2c048bc 14635->14636 14645 2c0ac90 14636->14645 14649 2c0ac89 14636->14649 14637 2c0490f 14637->14631 14641 2c0b3ed 14640->14641 14653 2c0b4d8 14641->14653 14657 2c0b4c9 14641->14657 14646 2c0acd1 GetConsoleWindow 14645->14646 14648 2c0ad12 14646->14648 14648->14637 14650 2c0acd1 GetConsoleWindow 14649->14650 14652 2c0ad12 14650->14652 14652->14637 14655 2c0b4ff 14653->14655 14654 2c0b5dc 14654->14654 14655->14654 14661 2c0b0ec 14655->14661 14659 2c0b4d8 14657->14659 14658 2c0b5dc 14658->14658 14659->14658 14660 2c0b0ec CreateActCtxA 14659->14660 14660->14658 14662 2c0c590 CreateActCtxA 14661->14662 14664 2c0c696 14662->14664 14664->14654 14665 2c0484d 14666 2c04855 14665->14666 14667 2c0485d 14666->14667 14668 2c0b3c8 CreateActCtxA 14666->14668 14668->14667

              Executed Functions

              Function 02C0B0EC Relevance: 1.6, APIs: 1, Instructions: 126COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2933 2c0b0ec-2c0c694 CreateActCtxA 2938 2c0c696-2c0c69c 2933->2938 2939 2c0c69d-2c0c722 2933->2939 2938->2939 2948 2c0c724-2c0c734 2939->2948 2949 2c0c74f-2c0c780 2939->2949 2952 2c0c73b-2c0c747 2948->2952 2954 2c0c782-2c0c7b3 2949->2954 2955 2c0c725-2c0c734 2949->2955 2952->2949 2958 2c0c7d3-2c0c93d 2954->2958 2959 2c0c7b5-2c0c7d2 2954->2959 2955->2952 2984 2c0c9e0-2c0ca78 2958->2984 2985 2c0c943-2c0c989 2958->2985 2990 2c0c994-2c0c9df 2985->2990 2991 2c0c98b-2c0c98f 2985->2991 2991->2990
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 02C0C681
              Memory Dump Source
              • Source File: 00000006.00000002.1683687501.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2c00000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 93629acb827f09b7f573423491e5213a31627ae1ad96336e0fa6330d89e1b8d6
              • Instruction ID: 19ff70f0205e1d1aa256f30cf4b99737c15a2b5606179d776f89227ffc9f5adf
              • Opcode Fuzzy Hash: 93629acb827f09b7f573423491e5213a31627ae1ad96336e0fa6330d89e1b8d6
              • Instruction Fuzzy Hash: E051B971D0421D8FDB24DFA9C884BDEBBF5EF45300F1081AAD509A7251DB716A85CF91
              Function 02C0C585 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2998 2c0c585-2c0c626 3000 2c0c62d-2c0c694 CreateActCtxA 2998->3000 3002 2c0c696-2c0c69c 3000->3002 3003 2c0c69d-2c0c722 3000->3003 3002->3003 3012 2c0c724-2c0c734 3003->3012 3013 2c0c74f-2c0c780 3003->3013 3016 2c0c73b-2c0c747 3012->3016 3018 2c0c782-2c0c7b3 3013->3018 3019 2c0c725-2c0c734 3013->3019 3016->3013 3022 2c0c7d3-2c0c93d 3018->3022 3023 2c0c7b5-2c0c7d2 3018->3023 3019->3016 3048 2c0c9e0-2c0ca78 3022->3048 3049 2c0c943-2c0c989 3022->3049 3054 2c0c994-2c0c9df 3049->3054 3055 2c0c98b-2c0c98f 3049->3055 3055->3054
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 02C0C681
              Memory Dump Source
              • Source File: 00000006.00000002.1683687501.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2c00000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 1bd670ddd4f99b3fd97a2235d9b36c5ddbe2ad5f0d55bf2e1a53a9995c10296c
              • Instruction ID: 34f24a3d663da3bb42e2874718c095daa0f1064dd7221c7166ee0bb4246e5427
              • Opcode Fuzzy Hash: 1bd670ddd4f99b3fd97a2235d9b36c5ddbe2ad5f0d55bf2e1a53a9995c10296c
              • Instruction Fuzzy Hash: A751C8B1D00219CFDB20DFA9C984BDEBBF5AF45300F1080AAD509A7251DB716A89CF91
              Function 02C0AC89 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 3062 2c0ac89-2c0ad10 GetConsoleWindow 3065 2c0ad12-2c0ad18 3062->3065 3066 2c0ad19-2c0ad59 3062->3066 3065->3066
              APIs
              • GetConsoleWindow.KERNELBASE ref: 02C0AD00
              Memory Dump Source
              • Source File: 00000006.00000002.1683687501.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2c00000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: ConsoleWindow
              • String ID:
              • API String ID: 2863861424-0
              • Opcode ID: b8b5f696bfddfb4bfc2e8d871d7d5b26d83d92e5511ba44ca76936071b3c9280
              • Instruction ID: 1ad50f68c2eecf13d4ba2263edd1c46b52ac9abfe012dfe480680bb84ce68559
              • Opcode Fuzzy Hash: b8b5f696bfddfb4bfc2e8d871d7d5b26d83d92e5511ba44ca76936071b3c9280
              • Instruction Fuzzy Hash: 1421DEB4D013098FCB10CFA9D584ADEFBF4EB89324F24941AE419B7240C7356942CFA5
              Function 02C0AC90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 3071 2c0ac90-2c0ad10 GetConsoleWindow 3074 2c0ad12-2c0ad18 3071->3074 3075 2c0ad19-2c0ad59 3071->3075 3074->3075
              APIs
              • GetConsoleWindow.KERNELBASE ref: 02C0AD00
              Memory Dump Source
              • Source File: 00000006.00000002.1683687501.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2c00000_7jmd8E2KEb.jbxd
              Similarity
              • API ID: ConsoleWindow
              • String ID:
              • API String ID: 2863861424-0
              • Opcode ID: fb443b46d82038bbca3894246dac85ea9b52c469d542f5685edfcdfd15398b45
              • Instruction ID: 576bc52ad47436103bbe947b5dd3fcf3ab7b54d718b85c58a4a0fb37196eac93
              • Opcode Fuzzy Hash: fb443b46d82038bbca3894246dac85ea9b52c469d542f5685edfcdfd15398b45
              • Instruction Fuzzy Hash: 1C21BCB4D013099FCB10CFA9D585ADEFBF4AB89324F24942AD419B7240C735A945CFA5
              Function 02A2D4A0 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.1682825151.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2a2d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7980d371d05a9dba7cb6a41b484b9adf1bdcd5e79ec2634c705deab8542acb35
              • Instruction ID: c7f8b3e25d840cbc9c40c1ce0661b7066873a5a713de0eae370fc46af816a45c
              • Opcode Fuzzy Hash: 7980d371d05a9dba7cb6a41b484b9adf1bdcd5e79ec2634c705deab8542acb35
              • Instruction Fuzzy Hash: 582137B1544640DFDB05DF18D9C0B26BFA9FB88318F24C56DE90A0B257C776D41ACBA2
              Function 02A3D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.1682904349.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2a3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93927333f76e680f6335e836d9d8d431adb506aea0abd45e40afaab59fd117cd
              • Instruction ID: 1356bacbe46d898f0ead5f2471125b494c73ad9de590d853aafe2f0854b1072b
              • Opcode Fuzzy Hash: 93927333f76e680f6335e836d9d8d431adb506aea0abd45e40afaab59fd117cd
              • Instruction Fuzzy Hash: 902126B1504600EFDB06DF94D9C0B26FBB5FB88314F24C96DF84A4B252CB36D41ACA61
              Function 02A3D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.1682904349.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2a3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b161d127cc7f7dfe8f8ffbea603e3c923707b92b0f1f010a20ebbe414f6e4568
              • Instruction ID: 7b114cfe47338765141773efa98f032aa046b265bba66e38620a962500558b17
              • Opcode Fuzzy Hash: b161d127cc7f7dfe8f8ffbea603e3c923707b92b0f1f010a20ebbe414f6e4568
              • Instruction Fuzzy Hash: CA2122B1604600EFDB16DF24D9C0B26BBA5FB85714F24C56DE84B0B246CB3AD807CA61
              Function 02A3D007 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.1682904349.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2a3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a56f67fb48850e59c3d7076ecf8f67e594bb25a8f1612800fb0a00094b8386b
              • Instruction ID: 50dab2dbafea163181dfe061cfbfdccd1177995ba92b87e3e6590c5a42564a00
              • Opcode Fuzzy Hash: 4a56f67fb48850e59c3d7076ecf8f67e594bb25a8f1612800fb0a00094b8386b
              • Instruction Fuzzy Hash: E4217C75509780CFCB03CF24D9D4715BF71EB46214F28C5DAD8898B6A7C33A980ACB62
              Function 02A2D49B Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.1682825151.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2a2d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction ID: 1e62d259f0b205f8c52a6b47460a035328559554146eb449b5b9f92d4ebd4471
              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction Fuzzy Hash: F6110372804280CFDB02CF08D5C4B16BF71FB84324F24C5A9D9090B257C336D45ACBA2
              Function 02A3D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.1682904349.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_2a3d000_7jmd8E2KEb.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction ID: 590b131cd05cfdbd2e8176345f80d41907da0630c1d5c48eb5c772e0daa7fe1b
              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction Fuzzy Hash: AD11DD75904680DFCB02CF50D5C4B15FBB1FB84314F24C6ADE8494B696C73AD41ACB61

              Execution Graph

              Execution Coverage:11%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:179
              Total number of Limit Nodes:6
              execution_graph 24200 7194f6d 24201 7194d5c 24200->24201 24202 7195072 24201->24202 24203 7197238 12 API calls 24201->24203 24204 7197228 12 API calls 24201->24204 24203->24202 24204->24202 24205 df4668 24206 df467a 24205->24206 24208 df4686 24206->24208 24209 df477f 24206->24209 24210 df4787 24209->24210 24214 df4879 24210->24214 24218 df4888 24210->24218 24216 df487f 24214->24216 24215 df498c 24215->24215 24216->24215 24222 df44b4 24216->24222 24220 df48af 24218->24220 24219 df498c 24219->24219 24220->24219 24221 df44b4 CreateActCtxA 24220->24221 24221->24219 24223 df5918 CreateActCtxA 24222->24223 24225 df59db 24223->24225 24225->24225 24005 7198430 24006 7198445 24005->24006 24007 71985bb 24006->24007 24009 719578c 24006->24009 24010 71986b0 PostMessageW 24009->24010 24011 719871c 24010->24011 24011->24006 24012 7194df5 24013 7194d5c 24012->24013 24014 7195072 24013->24014 24017 7197228 24013->24017 24037 7197238 24013->24037 24018 719720d 24017->24018 24019 7197236 24017->24019 24018->24014 24024 7197276 24019->24024 24056 7198041 24019->24056 24061 719780e 24019->24061 24066 7197aac 24019->24066 24071 71977ad 24019->24071 24076 71979a9 24019->24076 24081 7197cb6 24019->24081 24086 7197c56 24019->24086 24090 71979f4 24019->24090 24095 7197d55 24019->24095 24100 7197731 24019->24100 24105 719765c 24019->24105 24110 7197cf9 24019->24110 24117 7197787 24019->24117 24122 7197b62 24019->24122 24126 7197a43 24019->24126 24131 71976a3 24019->24131 24024->24014 24038 7197252 24037->24038 24039 7197cf9 4 API calls 24038->24039 24040 719765c 2 API calls 24038->24040 24041 7197731 2 API calls 24038->24041 24042 7197d55 2 API calls 24038->24042 24043 71979f4 2 API calls 24038->24043 24044 7197c56 2 API calls 24038->24044 24045 7197cb6 2 API calls 24038->24045 24046 71979a9 2 API calls 24038->24046 24047 71977ad 2 API calls 24038->24047 24048 7197aac 2 API calls 24038->24048 24049 7197276 24038->24049 24050 719780e 2 API calls 24038->24050 24051 7198041 2 API calls 24038->24051 24052 71976a3 2 API calls 24038->24052 24053 7197a43 2 API calls 24038->24053 24054 7197b62 2 API calls 24038->24054 24055 7197787 2 API calls 24038->24055 24039->24049 24040->24049 24041->24049 24042->24049 24043->24049 24044->24049 24045->24049 24046->24049 24047->24049 24048->24049 24049->24014 24050->24049 24051->24049 24052->24049 24053->24049 24054->24049 24055->24049 24057 7197793 24056->24057 24057->24056 24058 719761d 24057->24058 24136 71945f8 24057->24136 24140 71945f0 24057->24140 24058->24024 24062 7197793 24061->24062 24063 719761d 24062->24063 24064 71945f8 VirtualAllocEx 24062->24064 24065 71945f0 VirtualAllocEx 24062->24065 24063->24024 24064->24063 24065->24063 24067 7197793 24066->24067 24068 719761d 24067->24068 24069 71945f8 VirtualAllocEx 24067->24069 24070 71945f0 VirtualAllocEx 24067->24070 24068->24024 24069->24068 24070->24068 24072 71979d2 24071->24072 24144 71946b8 24072->24144 24148 71946b1 24072->24148 24073 7197f50 24077 71979cc 24076->24077 24079 71946b8 WriteProcessMemory 24077->24079 24080 71946b1 WriteProcessMemory 24077->24080 24078 7197e19 24079->24078 24080->24078 24082 7197c55 24081->24082 24083 7197c70 24081->24083 24152 71940e8 24082->24152 24156 71940e0 24082->24156 24083->24024 24088 71940e8 Wow64SetThreadContext 24086->24088 24089 71940e0 Wow64SetThreadContext 24086->24089 24087 7197c70 24087->24024 24088->24087 24089->24087 24091 7197975 24090->24091 24091->24090 24092 7197de4 24091->24092 24093 71946b8 WriteProcessMemory 24091->24093 24094 71946b1 WriteProcessMemory 24091->24094 24093->24091 24094->24091 24096 7197d62 24095->24096 24160 7193bf8 24096->24160 24164 7193c00 24096->24164 24097 7198022 24101 7197737 24100->24101 24168 7194940 24101->24168 24172 7194934 24101->24172 24106 7197662 24105->24106 24107 7197768 24106->24107 24108 7194940 CreateProcessA 24106->24108 24109 7194934 CreateProcessA 24106->24109 24107->24024 24108->24107 24109->24107 24115 71940e8 Wow64SetThreadContext 24110->24115 24116 71940e0 Wow64SetThreadContext 24110->24116 24111 7197d13 24113 7193bf8 ResumeThread 24111->24113 24114 7193c00 ResumeThread 24111->24114 24112 7198022 24113->24112 24114->24112 24115->24111 24116->24111 24118 7197793 24117->24118 24119 719761d 24118->24119 24120 71945f8 VirtualAllocEx 24118->24120 24121 71945f0 VirtualAllocEx 24118->24121 24119->24024 24120->24119 24121->24119 24176 71947a8 24122->24176 24180 71947a0 24122->24180 24123 71978de 24123->24024 24127 7197793 24126->24127 24128 719761d 24127->24128 24129 71945f8 VirtualAllocEx 24127->24129 24130 71945f0 VirtualAllocEx 24127->24130 24128->24024 24129->24128 24130->24128 24132 71976ad 24131->24132 24133 7197768 24132->24133 24134 7194940 CreateProcessA 24132->24134 24135 7194934 CreateProcessA 24132->24135 24133->24024 24134->24133 24135->24133 24137 7194638 VirtualAllocEx 24136->24137 24139 7194675 24137->24139 24139->24058 24141 7194666 VirtualAllocEx 24140->24141 24143 71945f6 24140->24143 24142 7194675 24141->24142 24142->24058 24143->24141 24145 7194700 WriteProcessMemory 24144->24145 24147 7194757 24145->24147 24147->24073 24149 71946b8 WriteProcessMemory 24148->24149 24151 7194757 24149->24151 24151->24073 24153 719412d Wow64SetThreadContext 24152->24153 24155 7194175 24153->24155 24155->24083 24157 71940e8 Wow64SetThreadContext 24156->24157 24159 7194175 24157->24159 24159->24083 24161 7193c00 ResumeThread 24160->24161 24163 7193c71 24161->24163 24163->24097 24165 7193c40 ResumeThread 24164->24165 24167 7193c71 24165->24167 24167->24097 24169 7194981 CreateProcessA 24168->24169 24171 7194b8b 24169->24171 24171->24171 24173 719493a CreateProcessA 24172->24173 24175 7194b8b 24173->24175 24175->24175 24177 71947f3 ReadProcessMemory 24176->24177 24179 7194837 24177->24179 24179->24123 24181 71947a8 ReadProcessMemory 24180->24181 24183 7194837 24181->24183 24183->24123 24184 dfd690 DuplicateHandle 24185 dfd726 24184->24185 24186 dfacb0 24190 dfad9f 24186->24190 24195 dfada8 24186->24195 24187 dfacbf 24192 dfada8 24190->24192 24191 dfaddc 24191->24187 24192->24191 24193 dfafe0 GetModuleHandleW 24192->24193 24194 dfb00d 24193->24194 24194->24187 24196 dfadb9 24195->24196 24197 dfaddc 24195->24197 24196->24197 24198 dfafe0 GetModuleHandleW 24196->24198 24197->24187 24199 dfb00d 24198->24199 24199->24187 24226 dfd040 24227 dfd086 GetCurrentProcess 24226->24227 24229 dfd0d8 GetCurrentThread 24227->24229 24231 dfd0d1 24227->24231 24230 dfd115 GetCurrentProcess 24229->24230 24232 dfd10e 24229->24232 24233 dfd14b 24230->24233 24231->24229 24232->24230 24234 dfd173 GetCurrentThreadId 24233->24234 24235 dfd1a4 24234->24235

              Executed Functions

              Function 00DFD031 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 296 dfd031-dfd0cf GetCurrentProcess 300 dfd0d8-dfd10c GetCurrentThread 296->300 301 dfd0d1-dfd0d7 296->301 302 dfd10e-dfd114 300->302 303 dfd115-dfd149 GetCurrentProcess 300->303 301->300 302->303 304 dfd14b-dfd151 303->304 305 dfd152-dfd16d call dfd61f 303->305 304->305 309 dfd173-dfd1a2 GetCurrentThreadId 305->309 310 dfd1ab-dfd20d 309->310 311 dfd1a4-dfd1aa 309->311 311->310
              APIs
              • GetCurrentProcess.KERNEL32 ref: 00DFD0BE
              • GetCurrentThread.KERNEL32 ref: 00DFD0FB
              • GetCurrentProcess.KERNEL32 ref: 00DFD138
              • GetCurrentThreadId.KERNEL32 ref: 00DFD191
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 7cd0a4741a79b5dddd06e37e558578cc1659941d31423133547330b5672a9a7f
              • Instruction ID: 42956da2830ffc634971ad4e72348b5fc28e70167d1e80bfe15fbef2692d3f44
              • Opcode Fuzzy Hash: 7cd0a4741a79b5dddd06e37e558578cc1659941d31423133547330b5672a9a7f
              • Instruction Fuzzy Hash: 355149B09003498FDB14DFAAD548BAEBBF2EB88304F25C45AE419B7360D7745984CB61
              Function 00DFD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 318 dfd040-dfd0cf GetCurrentProcess 322 dfd0d8-dfd10c GetCurrentThread 318->322 323 dfd0d1-dfd0d7 318->323 324 dfd10e-dfd114 322->324 325 dfd115-dfd149 GetCurrentProcess 322->325 323->322 324->325 326 dfd14b-dfd151 325->326 327 dfd152-dfd16d call dfd61f 325->327 326->327 331 dfd173-dfd1a2 GetCurrentThreadId 327->331 332 dfd1ab-dfd20d 331->332 333 dfd1a4-dfd1aa 331->333 333->332
              APIs
              • GetCurrentProcess.KERNEL32 ref: 00DFD0BE
              • GetCurrentThread.KERNEL32 ref: 00DFD0FB
              • GetCurrentProcess.KERNEL32 ref: 00DFD138
              • GetCurrentThreadId.KERNEL32 ref: 00DFD191
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 4b66e2eaff2d7d5ab4107e790a2626579105c6f84e0ee3e73968bb02df5e28b8
              • Instruction ID: f13fc08f8c47732172e8923e2b63bdbfab0f87d43f60586aeb90b57fd46ee693
              • Opcode Fuzzy Hash: 4b66e2eaff2d7d5ab4107e790a2626579105c6f84e0ee3e73968bb02df5e28b8
              • Instruction Fuzzy Hash: EA5158B09003098FDB14DFAAD948BAEBBF6EB88304F25845AE419B7360D7745984CB61
              Function 07194934 Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 375 7194934-7194938 376 719493a-719497b 375->376 377 7194981-71949d5 375->377 376->377 381 7194a0e-7194a2e 377->381 382 71949d7-71949e1 377->382 389 7194a30-7194a3a 381->389 390 7194a67-7194a96 381->390 382->381 383 71949e3-71949e5 382->383 384 7194a08-7194a0b 383->384 385 71949e7-71949f1 383->385 384->381 387 71949f3 385->387 388 71949f5-7194a04 385->388 387->388 388->388 391 7194a06 388->391 389->390 392 7194a3c-7194a3e 389->392 396 7194a98-7194aa2 390->396 397 7194acf-7194b89 CreateProcessA 390->397 391->384 394 7194a61-7194a64 392->394 395 7194a40-7194a4a 392->395 394->390 398 7194a4c 395->398 399 7194a4e-7194a5d 395->399 396->397 401 7194aa4-7194aa6 396->401 410 7194b8b-7194b91 397->410 411 7194b92-7194c18 397->411 398->399 399->399 400 7194a5f 399->400 400->394 402 7194ac9-7194acc 401->402 403 7194aa8-7194ab2 401->403 402->397 405 7194ab4 403->405 406 7194ab6-7194ac5 403->406 405->406 406->406 408 7194ac7 406->408 408->402 410->411 421 7194c28-7194c2c 411->421 422 7194c1a-7194c1e 411->422 424 7194c3c-7194c40 421->424 425 7194c2e-7194c32 421->425 422->421 423 7194c20 422->423 423->421 427 7194c50-7194c54 424->427 428 7194c42-7194c46 424->428 425->424 426 7194c34 425->426 426->424 430 7194c66-7194c6d 427->430 431 7194c56-7194c5c 427->431 428->427 429 7194c48 428->429 429->427 432 7194c6f-7194c7e 430->432 433 7194c84 430->433 431->430 432->433 435 7194c85 433->435 435->435
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07194B76
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 7c6db22231d12524c7d0633ae2b56087b075022c15b1fc400261433fe686db84
              • Instruction ID: 1ab97d548ec626df48cab6b0bb7619af02bfad83b93385c6e28cdfd9638d09e5
              • Opcode Fuzzy Hash: 7c6db22231d12524c7d0633ae2b56087b075022c15b1fc400261433fe686db84
              • Instruction Fuzzy Hash: 50A16FB1D00259DFDF11CF68C8417EEBBB2BF49714F148569E809A7280DB749986CF92
              Function 07194940 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 436 7194940-71949d5 439 7194a0e-7194a2e 436->439 440 71949d7-71949e1 436->440 447 7194a30-7194a3a 439->447 448 7194a67-7194a96 439->448 440->439 441 71949e3-71949e5 440->441 442 7194a08-7194a0b 441->442 443 71949e7-71949f1 441->443 442->439 445 71949f3 443->445 446 71949f5-7194a04 443->446 445->446 446->446 449 7194a06 446->449 447->448 450 7194a3c-7194a3e 447->450 454 7194a98-7194aa2 448->454 455 7194acf-7194b89 CreateProcessA 448->455 449->442 452 7194a61-7194a64 450->452 453 7194a40-7194a4a 450->453 452->448 456 7194a4c 453->456 457 7194a4e-7194a5d 453->457 454->455 459 7194aa4-7194aa6 454->459 468 7194b8b-7194b91 455->468 469 7194b92-7194c18 455->469 456->457 457->457 458 7194a5f 457->458 458->452 460 7194ac9-7194acc 459->460 461 7194aa8-7194ab2 459->461 460->455 463 7194ab4 461->463 464 7194ab6-7194ac5 461->464 463->464 464->464 466 7194ac7 464->466 466->460 468->469 479 7194c28-7194c2c 469->479 480 7194c1a-7194c1e 469->480 482 7194c3c-7194c40 479->482 483 7194c2e-7194c32 479->483 480->479 481 7194c20 480->481 481->479 485 7194c50-7194c54 482->485 486 7194c42-7194c46 482->486 483->482 484 7194c34 483->484 484->482 488 7194c66-7194c6d 485->488 489 7194c56-7194c5c 485->489 486->485 487 7194c48 486->487 487->485 490 7194c6f-7194c7e 488->490 491 7194c84 488->491 489->488 490->491 493 7194c85 491->493 493->493
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07194B76
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 2fe075f4787ea519de865b13762e20743ca6b2823352c50755deccc0893bd717
              • Instruction ID: 843e5702f05fcbd512415f9576145f3db25dcd5d0a8b6807a1d04e82ce7d7449
              • Opcode Fuzzy Hash: 2fe075f4787ea519de865b13762e20743ca6b2823352c50755deccc0893bd717
              • Instruction Fuzzy Hash: 3C915EB1D00259CFDF25CF68C8417EEBBB2BF49714F148569E809A7280DB749986CF92
              Function 00DFADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 494 dfada8-dfadb7 495 dfadb9-dfadc6 call dfa0cc 494->495 496 dfade3-dfade7 494->496 503 dfaddc 495->503 504 dfadc8 495->504 497 dfadfb-dfae3c 496->497 498 dfade9-dfadf3 496->498 505 dfae3e-dfae46 497->505 506 dfae49-dfae57 497->506 498->497 503->496 550 dfadce call dfb037 504->550 551 dfadce call dfb040 504->551 505->506 507 dfae7b-dfae7d 506->507 508 dfae59-dfae5e 506->508 510 dfae80-dfae87 507->510 511 dfae69 508->511 512 dfae60-dfae67 call dfa0d8 508->512 509 dfadd4-dfadd6 509->503 513 dfaf18-dfafd8 509->513 516 dfae89-dfae91 510->516 517 dfae94-dfae9b 510->517 514 dfae6b-dfae79 511->514 512->514 545 dfafda-dfafdd 513->545 546 dfafe0-dfb00b GetModuleHandleW 513->546 514->510 516->517 518 dfae9d-dfaea5 517->518 519 dfaea8-dfaeaa call dfa0e8 517->519 518->519 523 dfaeaf-dfaeb1 519->523 525 dfaebe-dfaec3 523->525 526 dfaeb3-dfaebb 523->526 527 dfaec5-dfaecc 525->527 528 dfaee1-dfaeee 525->528 526->525 527->528 530 dfaece-dfaede call dfa0f8 call dfa108 527->530 534 dfaf11-dfaf17 528->534 535 dfaef0-dfaf0e 528->535 530->528 535->534 545->546 547 dfb00d-dfb013 546->547 548 dfb014-dfb028 546->548 547->548 550->509 551->509
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DFAFFE
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 762d1c4b625ef705a6939739883a283a125fce766949c4d02b8dbd1b8b38d427
              • Instruction ID: 245971eaca1a1345bc59f00f0ce8953791307fcf435c864e29c02a9926ba8a7f
              • Opcode Fuzzy Hash: 762d1c4b625ef705a6939739883a283a125fce766949c4d02b8dbd1b8b38d427
              • Instruction Fuzzy Hash: E17138B0A00B098FD724DF29D44176ABBF1FF88300F05892DE59AD7A50D775E949CBA1
              Function 00DF590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 660 df590c-df590d 661 df5913-df59d9 CreateActCtxA 660->661 663 df59db-df59e1 661->663 664 df59e2-df5a3c 661->664 663->664 671 df5a3e-df5a41 664->671 672 df5a4b-df5a4f 664->672 671->672 673 df5a51-df5a5d 672->673 674 df5a60 672->674 673->674 675 df5a61 674->675 675->675
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00DF59C9
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 9d64077cc8ab5009faa12ed3ffaaf38e91a16d81185df4f93107db2a60fb14f8
              • Instruction ID: d1f8c751acaba8c0a631c4f27ec5870cd73ab7e9e674c07631ad014362815083
              • Opcode Fuzzy Hash: 9d64077cc8ab5009faa12ed3ffaaf38e91a16d81185df4f93107db2a60fb14f8
              • Instruction Fuzzy Hash: C84102B0C0071DCFCB24CFA9C884ADDBBB1BF48304F24816AD519AB255DB71698ACF91
              Function 00DF44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 677 df44b4-df59d9 CreateActCtxA 680 df59db-df59e1 677->680 681 df59e2-df5a3c 677->681 680->681 688 df5a3e-df5a41 681->688 689 df5a4b-df5a4f 681->689 688->689 690 df5a51-df5a5d 689->690 691 df5a60 689->691 690->691 692 df5a61 691->692 692->692
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00DF59C9
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 86eb6d313b1d9f5c40926f006761a98056dd2e93bb20a1fda12af23e909f70a5
              • Instruction ID: 009d632a04ee9322e1d221dee40b5bd7defde899971cc362c541a7d92230f06a
              • Opcode Fuzzy Hash: 86eb6d313b1d9f5c40926f006761a98056dd2e93bb20a1fda12af23e909f70a5
              • Instruction Fuzzy Hash: 2D41E3B0D0071DCBDB24DFA9C884BDDBBB5BF48304F24816AD508AB255DB716946CF91
              Function 071946B1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 694 71946b1-7194706 697 7194708-7194714 694->697 698 7194716-7194755 WriteProcessMemory 694->698 697->698 700 719475e-719478e 698->700 701 7194757-719475d 698->701 701->700
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07194748
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: a73cc7ff569fbe01eb933131fd0e7c31cf4e623fa289f95657b4e6c370e213c7
              • Instruction ID: f6ef96af7248ff4a19d2a75f70678898442eac69bae909b07f4628dcc6b1790a
              • Opcode Fuzzy Hash: a73cc7ff569fbe01eb933131fd0e7c31cf4e623fa289f95657b4e6c370e213c7
              • Instruction Fuzzy Hash: 3B2126B5D002499FCB10CFA9C885BEEBBF5FF88310F148429E959A7240C7749956DBA1
              Function 071946B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 705 71946b8-7194706 707 7194708-7194714 705->707 708 7194716-7194755 WriteProcessMemory 705->708 707->708 710 719475e-719478e 708->710 711 7194757-719475d 708->711 711->710
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07194748
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: d2adc768699370b34ee0a867256ba420317211963f3c2efd2067cd56985f62cb
              • Instruction ID: e43085fbd691c4a68abaace4e0b452f1693031a0c6c4b75d6f0ace9c697cd984
              • Opcode Fuzzy Hash: d2adc768699370b34ee0a867256ba420317211963f3c2efd2067cd56985f62cb
              • Instruction Fuzzy Hash: 672115B5D003599FCB10CFA9C885BEEBBF5FB88310F108429E919A7240C7789955DBA1
              Function 071947A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 715 71947a0-7194835 ReadProcessMemory 719 719483e-719486e 715->719 720 7194837-719483d 715->720 720->719
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07194828
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 7b0e9349ef121bdfc4949d82e0174713717740e4117ce5cc7c435e74bd0f5ba0
              • Instruction ID: efd84d1a64eb0468ad9781fad56a673d22811a4c8f1aadc732a0ac3032c25585
              • Opcode Fuzzy Hash: 7b0e9349ef121bdfc4949d82e0174713717740e4117ce5cc7c435e74bd0f5ba0
              • Instruction Fuzzy Hash: 0C2139B1C002499FCB10CFA9D841AEEFBF5FF48310F50842DE919A7250C7349546DBA1
              Function 071940E0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 724 71940e0-7194133 727 7194143-7194173 Wow64SetThreadContext 724->727 728 7194135-7194141 724->728 730 719417c-71941ac 727->730 731 7194175-719417b 727->731 728->727 731->730
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07194166
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 19873502640be1d1b9248102dffe549e98177bd2b9ad95633a06e90f639c2a48
              • Instruction ID: 5664cfbde4e47951abefdefb62ee364108a604e689ebb2b86d58b5101453f7be
              • Opcode Fuzzy Hash: 19873502640be1d1b9248102dffe549e98177bd2b9ad95633a06e90f639c2a48
              • Instruction Fuzzy Hash: 082148B1D002499FCB10DFAAC4457EEFFF4EB88314F648429D559A7240C778A546CBA1
              Function 071947A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07194828
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 24d937467ca8411ea4d50ddebe36ed88292b27e14eee425cf0e8de3efe408c67
              • Instruction ID: 07868b1648964f2463880a8765793d6060a201185ee785d78f0765b1dfffa104
              • Opcode Fuzzy Hash: 24d937467ca8411ea4d50ddebe36ed88292b27e14eee425cf0e8de3efe408c67
              • Instruction Fuzzy Hash: 5B2128B1C003599FCB10DFAAC845AEEFBF5FF88310F508429E919A7250C7749545DBA1
              Function 071940E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07194166
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 8508d0e74c7a88bd232cdd66ec144ce3c8a27c732a2731e1e51632b56f42bc78
              • Instruction ID: 86a939f870d85acc847d5e821690417f452a12552c65e4111a5c20b449ffc654
              • Opcode Fuzzy Hash: 8508d0e74c7a88bd232cdd66ec144ce3c8a27c732a2731e1e51632b56f42bc78
              • Instruction Fuzzy Hash: 242137B1D002098FDB10DFAAC4857AEBBF4AB88314F54842AD819A7240C778A946CBA1
              Function 00DFD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFD717
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: cb3e8673477ff80aac4ad741595ccfcae78e8c7b148eda7f72a960f9a7a388b3
              • Instruction ID: 0cea176e75cfed4e5de624cbae8b7a6b87cb0f45fd707e93fba6ace47736ce29
              • Opcode Fuzzy Hash: cb3e8673477ff80aac4ad741595ccfcae78e8c7b148eda7f72a960f9a7a388b3
              • Instruction Fuzzy Hash: 9E21E4B5D002499FDB10CF9AD484AEEFBF9EB48310F14801AE918A7310C374A954CFA1
              Function 00DFD689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFD717
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: d4b4b8a87e31052cc2f1068ae3766fc8cf8f7dc925483a7513c5a0d70d69bb96
              • Instruction ID: 79b3e03b43ffad29b14762ba8160bf355c2c0bd61395868656683ab31beb2c0d
              • Opcode Fuzzy Hash: d4b4b8a87e31052cc2f1068ae3766fc8cf8f7dc925483a7513c5a0d70d69bb96
              • Instruction Fuzzy Hash: E221E2B5D002499FDB10CFAAD584AEEFBF5EB48314F14841AE919B7310C374A955CFA1
              Function 071945F0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07194666
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: d8de48a29ea7666b8f004f3ef50185b54a2fa87f204e97afb0b33b88ca784327
              • Instruction ID: 8b6cf0d90f5d832a5fa260fbb884506d842500be193ac6af39f5a7bd914dc53a
              • Opcode Fuzzy Hash: d8de48a29ea7666b8f004f3ef50185b54a2fa87f204e97afb0b33b88ca784327
              • Instruction Fuzzy Hash: 141147B2D002499FCB10DFA9C844AEFFFF5EF88320F148419E959A7250C775A556CBA1
              Function 07193BF8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: ae191a7ceb941d77edf99d4d85ae407ee00fa4072eaf9c6a5952c2edbf1afdf1
              • Instruction ID: 10a0f6ea4dbd609c763a2ff742662a74c0d10442743250966905a2420b99232e
              • Opcode Fuzzy Hash: ae191a7ceb941d77edf99d4d85ae407ee00fa4072eaf9c6a5952c2edbf1afdf1
              • Instruction Fuzzy Hash: EB1146B1D103499BCB10DFAAC4457EFFFF5EB89324F24842AD459A7240C774A946CB91
              Function 071945F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07194666
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 7607d3c2dbf5c25a927cb092200083b3e07482f858ee5faaab285a63d2e285de
              • Instruction ID: a4526abbc20ef0405633e3c63e56ea66512d0ec4fc1461798972bc94c6f10568
              • Opcode Fuzzy Hash: 7607d3c2dbf5c25a927cb092200083b3e07482f858ee5faaab285a63d2e285de
              • Instruction Fuzzy Hash: AB1156B2C002499FCB10DFAAC844ADFFFF5EB88320F148419E919A7250C775A541CBA1
              Function 07193C00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: cc66b5e30d261fc09487c27b682444cc9a493671d550ad894f6faad1325b1774
              • Instruction ID: 4e901b72ccf5f5d09ceb36b4100c8bca049b6fddc00ee18f21ccd92c85e6ba09
              • Opcode Fuzzy Hash: cc66b5e30d261fc09487c27b682444cc9a493671d550ad894f6faad1325b1774
              • Instruction Fuzzy Hash: 511136B1D003498FCB20DFAAC4457EFFBF5EB88324F24842AD519A7240CB75A945CBA5
              Function 071986A8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0719870D
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 1fc2addf1dc83f9df519f6bd3a374d5cc873af4d9b5b240d434494a516788f19
              • Instruction ID: 7ff2d1f9960f7c47a58c8dbac99603d408e70e2485bd75fc5d24ff696c3a65c0
              • Opcode Fuzzy Hash: 1fc2addf1dc83f9df519f6bd3a374d5cc873af4d9b5b240d434494a516788f19
              • Instruction Fuzzy Hash: C011F2B68002499FCB10DF9AD484BDEFFF8EB49320F248459E958A7250C375A685CFA1
              Function 00DFAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00DFAFFE
              Memory Dump Source
              • Source File: 00000008.00000002.1731558009.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_df0000_eFXWrQYLi.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 1706a033e89c64aeea6c09c3259ddcfb59e021675752e02c2b7f5a42d2a2acaa
              • Instruction ID: 9ea031d1de96135ae4576779fb2f6a2933fbb83d31fcebb2c49fd15633704be3
              • Opcode Fuzzy Hash: 1706a033e89c64aeea6c09c3259ddcfb59e021675752e02c2b7f5a42d2a2acaa
              • Instruction Fuzzy Hash: A111E0B6C002498FCB10CF9AD444BDEFBF5EF88324F15841AD929A7610D375A545CFA5
              Function 0719578C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0719870D
              Memory Dump Source
              • Source File: 00000008.00000002.1741442705.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7190000_eFXWrQYLi.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: ddbdc249f8e2657b910a13683201b16fab359fd1ab71b21f6832740ccfef31a6
              • Instruction ID: a88308995a380d5c8ac461f0c1a042995b5972a3d0fcc0ff4890fcfedda12b24
              • Opcode Fuzzy Hash: ddbdc249f8e2657b910a13683201b16fab359fd1ab71b21f6832740ccfef31a6
              • Instruction Fuzzy Hash: B911F5B58103499FCB10DF9AD445BDEFBF8EB49310F108419E918B7250C375A945CFA5
              Function 00D9D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1730882713.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_d9d000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: feb8d2bcb8c3ef202f0009e159550ed37e42fe231deb465a18c7501f465925e8
              • Instruction ID: ba51858d5e79adfa58d6522dceed88183c0b1809cc5ab5332f4237aaf52010e4
              • Opcode Fuzzy Hash: feb8d2bcb8c3ef202f0009e159550ed37e42fe231deb465a18c7501f465925e8
              • Instruction Fuzzy Hash: 2C21CFB1504240EFDF45DF14D9C0B26BF66FB98318F28C569E9490B256C336D856CBB2
              Function 00DAD01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1730941123.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_dad000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da2f3710945b7248290e93bc483f5992c036a948afab22bdaa604b6573c568d3
              • Instruction ID: ce75e5a27f69484129c53176f21aaa1f04e260b4867bd279e48c9433a4a39b9d
              • Opcode Fuzzy Hash: da2f3710945b7248290e93bc483f5992c036a948afab22bdaa604b6573c568d3
              • Instruction Fuzzy Hash: FE21F2B1604240DFDB14DF24D9C4B26BBA6EB89314F34C96DE84A4B696C33AD807CA75
              Function 00DAD1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1730941123.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_dad000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37c3d76c70e6954e4a6afff014968e6c7981d79b41ae30827b6c320603fa7ff6
              • Instruction ID: 9617d6c1acac466d74c9911b71beef07e93d872b524d41f437b6e2f6ac375cd8
              • Opcode Fuzzy Hash: 37c3d76c70e6954e4a6afff014968e6c7981d79b41ae30827b6c320603fa7ff6
              • Instruction Fuzzy Hash: ED2126B1504200EFDB05DF14D9C0B2ABBA6FB85314F34C96DE84B4B696C33AD806CA75
              Function 00DAD005 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1730941123.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_dad000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c884b48e80e58cfce492951c191124aef1fe7776b6ca9e1d2dccedd229ef94ac
              • Instruction ID: 3eea594f6e4d3d016eee27675e6c27a48bfbb172f364ed4cebc4bdb37cb9f290
              • Opcode Fuzzy Hash: c884b48e80e58cfce492951c191124aef1fe7776b6ca9e1d2dccedd229ef94ac
              • Instruction Fuzzy Hash: 1C2162755093C08FDB16CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
              Function 00D9D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1730882713.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_d9d000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction ID: 057a9f742afa4d35819717198903224310e9923a06f5c0fe009c3ea748c14052
              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction Fuzzy Hash: 7A11E676504280CFCF16CF14D5C4B16BF72FB94314F28C6A9D8494B656C336D85ACBA1
              Function 00DAD1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1730941123.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_dad000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction ID: 043d524399517a0fd3c8e6b45398a6a401a36c694b80092d74e593bc85bc88b0
              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction Fuzzy Hash: 5311D075504240DFCB01CF10D5C4B19FB72FB85314F28C6ADD84A4B666C33AD80ACB61

              Execution Graph

              Execution Coverage:10.5%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:29
              Total number of Limit Nodes:1
              execution_graph 24886 b54810 24887 b5482c 24886->24887 24892 b54890 24887->24892 24888 b5485d 24890 b54838 24890->24888 24897 b5b3c8 24890->24897 24893 b54894 24892->24893 24902 b5ac89 24893->24902 24906 b5ac90 24893->24906 24894 b5490f 24894->24890 24898 b5b3cc 24897->24898 24910 b5b4c9 24898->24910 24914 b5b4d8 24898->24914 24903 b5ac8c GetConsoleWindow 24902->24903 24905 b5ad12 24903->24905 24905->24894 24907 b5acd1 GetConsoleWindow 24906->24907 24909 b5ad12 24907->24909 24909->24894 24912 b5b4cc 24910->24912 24911 b5b5dc 24911->24911 24912->24911 24918 b5b0ec 24912->24918 24916 b5b4ff 24914->24916 24915 b5b5dc 24915->24915 24916->24915 24917 b5b0ec CreateActCtxA 24916->24917 24917->24915 24919 b5c590 CreateActCtxA 24918->24919 24921 b5c696 24919->24921 24921->24921 24922 b5484d 24923 b54855 24922->24923 24924 b5485d 24923->24924 24925 b5b3c8 CreateActCtxA 24923->24925 24925->24924

              Executed Functions

              Function 00B5C585 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2666 b5c585-b5c58a 2667 b5c590-b5c626 2666->2667 2668 b5c58c-b5c58e 2666->2668 2670 b5c62d-b5c694 CreateActCtxA 2667->2670 2668->2667 2672 b5c696-b5c69c 2670->2672 2673 b5c69d-b5c722 2670->2673 2672->2673 2682 b5c724-b5c734 2673->2682 2683 b5c74f-b5c757 2673->2683 2686 b5c73b-b5c747 2682->2686 2687 b5c758 2683->2687 2686->2683 2687->2687
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00B5C681
              Memory Dump Source
              • Source File: 0000000C.00000002.1722443302.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b50000_eFXWrQYLi.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 254dd54e3264c3416825517246cec5577dbefbc8c7ba3f353f6dc22b4a98ce50
              • Instruction ID: cecdd8a1b2803233429d0d7fa441eccc6ffb78bb017cda6ab0682fad7b2cfda1
              • Opcode Fuzzy Hash: 254dd54e3264c3416825517246cec5577dbefbc8c7ba3f353f6dc22b4a98ce50
              • Instruction Fuzzy Hash: AE51D5B5D002198FDB20DFA9C884BDEBBF5FF49304F1080A9D509AB251DB716A89CF95
              Function 00B5B0EC Relevance: 1.6, APIs: 1, Instructions: 126COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2688 b5b0ec-b5c694 CreateActCtxA 2693 b5c696-b5c69c 2688->2693 2694 b5c69d-b5c722 2688->2694 2693->2694 2703 b5c724-b5c747 2694->2703 2704 b5c74f-b5c757 2694->2704 2703->2704 2708 b5c758 2704->2708 2708->2708
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00B5C681
              Memory Dump Source
              • Source File: 0000000C.00000002.1722443302.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b50000_eFXWrQYLi.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 7cf191bfb3700c4ea8767bae504561c52eb116aa437ef4ee8ee845737cf5d8ad
              • Instruction ID: ce6171d7fadf82b1503b91e2ec32f0b71c11c627d2cf6c0507246f87718da578
              • Opcode Fuzzy Hash: 7cf191bfb3700c4ea8767bae504561c52eb116aa437ef4ee8ee845737cf5d8ad
              • Instruction Fuzzy Hash: 2651D5B1D002198FDB20DFA9C884BDEBBF5FF49300F1080A99509AB251DB716A89CF91
              Function 00B5AC89 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2709 b5ac89-b5ac8a 2710 b5ac90-b5ad10 GetConsoleWindow 2709->2710 2711 b5ac8c 2709->2711 2714 b5ad12-b5ad18 2710->2714 2715 b5ad19-b5ad59 2710->2715 2711->2710 2714->2715
              APIs
              • GetConsoleWindow.KERNELBASE ref: 00B5AD00
              Memory Dump Source
              • Source File: 0000000C.00000002.1722443302.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b50000_eFXWrQYLi.jbxd
              Similarity
              • API ID: ConsoleWindow
              • String ID:
              • API String ID: 2863861424-0
              • Opcode ID: aa3237aeeb2f845516f11ac284380148df78b38c8f729fb24994956411ee3b8a
              • Instruction ID: bd6cd295f0fa63876e0450d9a367959f3d4fe05a4fe86fccfc1862c08f0c90f7
              • Opcode Fuzzy Hash: aa3237aeeb2f845516f11ac284380148df78b38c8f729fb24994956411ee3b8a
              • Instruction Fuzzy Hash: AE21FCB4D012098FCB10DFA9D584ADEFFF4EB89320F2480AAE819B7240C7356945CFA5
              Function 00B5AC90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2720 b5ac90-b5ad10 GetConsoleWindow 2723 b5ad12-b5ad18 2720->2723 2724 b5ad19-b5ad59 2720->2724 2723->2724
              APIs
              • GetConsoleWindow.KERNELBASE ref: 00B5AD00
              Memory Dump Source
              • Source File: 0000000C.00000002.1722443302.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b50000_eFXWrQYLi.jbxd
              Similarity
              • API ID: ConsoleWindow
              • String ID:
              • API String ID: 2863861424-0
              • Opcode ID: b7fa8d81b1e5985692f2b1a99d56f9e0b7952003e4c8b8374efd6c3a68b487ca
              • Instruction ID: 91136d775816e9b4c2f7d122fe434a247742ff7e5d0a669c0548d8e9e326c562
              • Opcode Fuzzy Hash: b7fa8d81b1e5985692f2b1a99d56f9e0b7952003e4c8b8374efd6c3a68b487ca
              • Instruction Fuzzy Hash: F521EBB4D012098FCB10DFA9D584ADEFBF4EB88324F24906AE819B7340D735A945CFA5
              Function 04EDDCF0 Relevance: .5, Instructions: 523COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2819 4eddcf0-4eddd9d 2919 4eddda0 call 4edf740 2819->2919 2920 4eddda0 call 4edf750 2819->2920 2826 4eddda3-4edde38 2832 4edde3c-4edde45 2826->2832 2833 4edde3a 2826->2833 2834 4edde49-4edde52 2832->2834 2835 4edde47 2832->2835 2833->2832 2836 4edde5a-4edde5e 2834->2836 2837 4edde54 2834->2837 2835->2834 2839 4edde65 2836->2839 2840 4edde60-4edde63 2836->2840 2837->2836 2838 4eddfa6-4eddfaf 2837->2838 2842 4eddfb7-4eddfe5 2838->2842 2843 4eddfb1 2838->2843 2841 4edde68-4edde9f 2839->2841 2840->2841 2844 4eddea6-4eddeaa 2841->2844 2845 4eddea1-4eddea4 2841->2845 2847 4eddfec-4eddff0 2842->2847 2848 4eddfe7-4eddfea 2842->2848 2843->2842 2846 4ede0d5-4ede0f4 call 4edc998 2843->2846 2849 4eddead-4eddeb1 2844->2849 2845->2844 2845->2849 2856 4ede0f9-4ede157 2846->2856 2851 4eddff3-4eddff7 2847->2851 2848->2847 2848->2851 2854 4eddeb8 2849->2854 2855 4eddeb3-4eddeb6 2849->2855 2852 4eddffe 2851->2852 2853 4eddff9-4eddffc 2851->2853 2857 4ede001-4ede038 2852->2857 2853->2857 2858 4eddebb-4eddef2 2854->2858 2855->2858 2865 4ede159-4ede163 2856->2865 2866 4ede165 2856->2866 2860 4ede03f-4ede043 2857->2860 2861 4ede03a-4ede03d 2857->2861 2862 4eddef9-4eddefd 2858->2862 2863 4eddef4-4eddef7 2858->2863 2867 4ede046-4ede074 2860->2867 2861->2860 2861->2867 2864 4eddf00-4eddf04 2862->2864 2863->2862 2863->2864 2868 4eddf0b 2864->2868 2869 4eddf06-4eddf09 2864->2869 2870 4ede167-4ede169 2865->2870 2866->2870 2871 4ede07b-4ede07f 2867->2871 2872 4ede076-4ede079 2867->2872 2873 4eddf0e-4eddf45 2868->2873 2869->2873 2874 4ede16f-4ede25b call 4edc9a8 2870->2874 2875 4ede264-4ede268 2870->2875 2876 4ede082-4ede086 2871->2876 2872->2871 2872->2876 2877 4eddf4c-4eddf50 2873->2877 2878 4eddf47-4eddf4a 2873->2878 2874->2875 2881 4ede26a-4ede274 2875->2881 2882 4ede276 2875->2882 2879 4ede08d 2876->2879 2880 4ede088-4ede08b 2876->2880 2884 4eddf53-4eddf57 2877->2884 2878->2877 2878->2884 2883 4ede090-4ede0c7 2879->2883 2880->2883 2886 4ede278-4ede27a 2881->2886 2882->2886 2889 4ede0ce-4ede0d2 2883->2889 2890 4ede0c9-4ede0cc 2883->2890 2887 4eddf5e 2884->2887 2888 4eddf59-4eddf5c 2884->2888 2891 4ede375-4ede3fe 2886->2891 2892 4ede280-4ede36c call 4edc9a8 2886->2892 2893 4eddf61-4eddf98 2887->2893 2888->2893 2889->2846 2890->2846 2890->2889 2909 4ede440-4ede496 2891->2909 2910 4ede400-4ede40c 2891->2910 2892->2891 2896 4eddf9f-4eddfa3 2893->2896 2897 4eddf9a-4eddf9d 2893->2897 2896->2838 2897->2838 2897->2896 2910->2909 2913 4ede40e-4ede427 2910->2913 2913->2909 2918 4ede429-4ede438 2913->2918 2918->2909 2919->2826 2920->2826
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9b29fc0dea88a986ca2896a6d2860dd05645c831b41bee633e1508a9f68cc08
              • Instruction ID: f403e40b80ad27d85dfde097e0ab480a2e44f88a9ee66473ccdfc2513779d4ea
              • Opcode Fuzzy Hash: e9b29fc0dea88a986ca2896a6d2860dd05645c831b41bee633e1508a9f68cc08
              • Instruction Fuzzy Hash: 6642D330D00619CFCB15EFA8C8486DCBBB1FF49304F5196A9D5497B265EB30AA99CF81
              Function 04EDDCE0 Relevance: .5, Instructions: 521COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 743a3e962efc11ca2b0f81471df3ace016fb1a5d854dfdf8828e0ab017863a64
              • Instruction ID: 277b799493ecc26524493d2eb2037c6d3bfca264cb51a3d93057f0fbf45cd66c
              • Opcode Fuzzy Hash: 743a3e962efc11ca2b0f81471df3ace016fb1a5d854dfdf8828e0ab017863a64
              • Instruction Fuzzy Hash: 9242E230D00619CFCB15EFA8C8486DCBBB1FF49304F5196A9D5497B265EB30AA99CF81
              Function 04EDA90C Relevance: .3, Instructions: 340COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e313bc4401017b30c56f43070e36c65a575e12bcfca625fa5779f8cecc70e33
              • Instruction ID: 4e1b9070420d256bee0676729ee8cc915635bbdcd513c89d94cc3b5dfb6f1b87
              • Opcode Fuzzy Hash: 8e313bc4401017b30c56f43070e36c65a575e12bcfca625fa5779f8cecc70e33
              • Instruction Fuzzy Hash: 75B19071A04209CFEF21DFA5C4406AEFBB5FF88348F20556ED509AB245DB31A952CF91
              Function 04EDAA20 Relevance: .2, Instructions: 211COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d9b2e4b5f2b2faff1226b1f91e8d4155907e7d7362a0056b95340b5deb9a6d0
              • Instruction ID: 508c98a071bb221767628b413128d6809f1a97a4ac0673a5d7f2f9df36c586f1
              • Opcode Fuzzy Hash: 6d9b2e4b5f2b2faff1226b1f91e8d4155907e7d7362a0056b95340b5deb9a6d0
              • Instruction Fuzzy Hash: 0481A074A00504DFDB14EFA4D4805BEB7F1FF48704B1481AAE849EB364EB35E942CB94
              Function 04EDD748 Relevance: .2, Instructions: 207COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52090b2c9b07b400cf5606640a72511753c78aecd96d4563a361fb3383431a7f
              • Instruction ID: 37e75da2faeb0a4fb183c48468f105325831019f1f97d594197a6bd2aac0b594
              • Opcode Fuzzy Hash: 52090b2c9b07b400cf5606640a72511753c78aecd96d4563a361fb3383431a7f
              • Instruction Fuzzy Hash: C181A130A10209DFDB11EF68D888AECBBB0FF44314F515469E445A72A4EB71E9A6CB40
              Function 04EDA080 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d26ceae62ac9c8626a07c6cac8bb56ba61c83d578c1ad15780b624a0dbbbcb9
              • Instruction ID: 54d2d4a37745a340ff430fcd70b316a5430b28e1676264177268d93d6f6fcb0f
              • Opcode Fuzzy Hash: 5d26ceae62ac9c8626a07c6cac8bb56ba61c83d578c1ad15780b624a0dbbbcb9
              • Instruction Fuzzy Hash: 58416670B142589FDB14DFA9D884AADBBF6BF4D708F1450A9E401EB3A1DA31E901CB10
              Function 04EDB5E9 Relevance: .1, Instructions: 125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 849c6f5248e45e2f13d829fba7c3357c272e14e658a824a85b80a76c4b8a6341
              • Instruction ID: 56dfed186025350c8843c95e53d054e89958cc81e3844eb091647845df037e3c
              • Opcode Fuzzy Hash: 849c6f5248e45e2f13d829fba7c3357c272e14e658a824a85b80a76c4b8a6341
              • Instruction Fuzzy Hash: 69416030A112049FDB04EF69C850A9DBBF2EF89314F559669E411FB3A0EB35BD42CB50
              Function 04EDC8E0 Relevance: .1, Instructions: 125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d660b33d089af350e2be28f03c265990adccf18b81180d01e11fadf8fbde472
              • Instruction ID: dd8556b3631b4a72600de3cd0fa5fba223dcb2e292c0ebbecdf4728c5755e76e
              • Opcode Fuzzy Hash: 9d660b33d089af350e2be28f03c265990adccf18b81180d01e11fadf8fbde472
              • Instruction Fuzzy Hash: 5B41E470F1C21A9FCB01AF65CD45EEE7BF0EB85344F10A4A6D486E7295F630A913DA80
              Function 04EDC8EC Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53bfdda59ba71c99f82cf07254a17ae7f131ca2150c5ea49105b4e4102e433e9
              • Instruction ID: 92709494fd21db993c185fe6f64cbd27479293d9281918574fabc7b311a23956
              • Opcode Fuzzy Hash: 53bfdda59ba71c99f82cf07254a17ae7f131ca2150c5ea49105b4e4102e433e9
              • Instruction Fuzzy Hash: D341D070F1851A9FCB01AF65CD49FEA7BF0EB85340F10B462E482E7294F630E912DA80
              Function 04EDD9C0 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 281d4469c5be386e3f453715bd68424985dcc9f514a23eb6b209082200cc681c
              • Instruction ID: 186db4e14cacd13efeae9a5a106b6b437ff21a0dfecbf88175d794498e707588
              • Opcode Fuzzy Hash: 281d4469c5be386e3f453715bd68424985dcc9f514a23eb6b209082200cc681c
              • Instruction Fuzzy Hash: 3C41D770E0C21A9FCB01AF65CD49EEA7FF1EB85340F11A096D486E7295F634E912CB80
              Function 04EDA6D8 Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1fd4f1ed0aebf839adb7c8448ae05bc0a3867878dad10a62e553f6c05a50481
              • Instruction ID: 97a0670232464f1f3788299b79ca67336549da999e64e5709cf99083a3334c2f
              • Opcode Fuzzy Hash: f1fd4f1ed0aebf839adb7c8448ae05bc0a3867878dad10a62e553f6c05a50481
              • Instruction Fuzzy Hash: 67416D30A012089FDB04DF69C850AADBBF2EF89314F159569E411BB3A0EB30FD42CB50
              Function 04EDD388 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 335f1229ad47625e850baeea7f87e94b66ecd9c312030143af4f17fc79dd0cc8
              • Instruction ID: 65263a1fc73572ed514717e14610b405d11c2faff84ab3977b0ea7e1d3b4e126
              • Opcode Fuzzy Hash: 335f1229ad47625e850baeea7f87e94b66ecd9c312030143af4f17fc79dd0cc8
              • Instruction Fuzzy Hash: 804164B4D012589FDB10CFA9D984ADEFBF5BB09314F24902AE918BB310D374A986CF54
              Function 04EDD390 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 108e928144a5dcb939ec5b2e7633bec1e82dff1fa808f249f3523bcc5e66f848
              • Instruction ID: f0e7f981f60b6f879a2ad6cd6f6d2e1c785aed2500a422297497bdf1ae49a049
              • Opcode Fuzzy Hash: 108e928144a5dcb939ec5b2e7633bec1e82dff1fa808f249f3523bcc5e66f848
              • Instruction Fuzzy Hash: 654155B4D012589FCB10CFA9D984ADEFBF5BB09314F24902AE918BB310D375A946CF54
              Function 04EDC1E1 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 69d179123eb63b7712929263127943c42ebf86ce17dbd2b3af969f0618c13a4a
              • Instruction ID: fdce6d5770d55231c2b078d933329db643fa39c9094b844028954301da1745c5
              • Opcode Fuzzy Hash: 69d179123eb63b7712929263127943c42ebf86ce17dbd2b3af969f0618c13a4a
              • Instruction Fuzzy Hash: AF413570A05218DFEB209FA5C9845EDBFB2FF88304F224259D505BB256DB31A8A2CF40
              Function 04EDC8FC Relevance: .1, Instructions: 83COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7d64cb6921d286341cf2960f3b6e9384c10203df91abaf6a18071e3ac412da7
              • Instruction ID: 0ac2cfbf769cefa2ce53af1fb5e48ba4255612064c0270bf175a2b0c10f306d5
              • Opcode Fuzzy Hash: b7d64cb6921d286341cf2960f3b6e9384c10203df91abaf6a18071e3ac412da7
              • Instruction Fuzzy Hash: C5219F30B105058FDB00DFBDD88496AB7F9EF8A718B5551AAE506DB321EB30EC05CB90
              Function 04EDA708 Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 95e111321442a27d2b89b172fc5c15a905cf57e1613942eb2da82d34b34901d5
              • Instruction ID: 2d43ebdd0675fdd40088337a37a32e2a907d2654906edc54f737fe61cb3489b0
              • Opcode Fuzzy Hash: 95e111321442a27d2b89b172fc5c15a905cf57e1613942eb2da82d34b34901d5
              • Instruction Fuzzy Hash: 3A21C131F00146CFCB156B69C5841FEBBB0EF85300B926969D486B724EFB31F9128B95
              Function 04EDCB20 Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 511c69c14fa5229d456003ceca6c7b6ef69776b479ab2a4ed42474fefd5992ea
              • Instruction ID: 3fc8c4a2a734d1d863478a0b6253cba910896ac8f00ae09e248cbd342f73a8bd
              • Opcode Fuzzy Hash: 511c69c14fa5229d456003ceca6c7b6ef69776b479ab2a4ed42474fefd5992ea
              • Instruction Fuzzy Hash: 3D21F371B041158FDB18EB68C8909ADBBF6EF8D264F2495B9E505EB340CE35AC07CB90
              Function 04EDF490 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7214da3216784ee77ec51d350692961f397377d5e4eb51e7ca0bfa8572c057ec
              • Instruction ID: 5a99b9a74d6ee6da006acd6287694dd43c9eb4d5baa08f7ebce9220e42d62988
              • Opcode Fuzzy Hash: 7214da3216784ee77ec51d350692961f397377d5e4eb51e7ca0bfa8572c057ec
              • Instruction Fuzzy Hash: B5216D31B106058FDB10DF79D884AAABBF9EF45709F1551AAE506DB221EB30ED05CB50
              Function 00AFD4A0 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1722163303.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_afd000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c5fc7854108f78cab325437166c9975741d588540d090deaa27bdf1e5207b33
              • Instruction ID: 005cfeffa882628eb7b07e921644b53178628098dc8511b377643c71acb42b7f
              • Opcode Fuzzy Hash: 6c5fc7854108f78cab325437166c9975741d588540d090deaa27bdf1e5207b33
              • Instruction Fuzzy Hash: D32128B1504248DFDB06DF94D9C0B36BF66FB94318F34C569EA090B256C336D816C7A1
              Function 00B0D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1722230222.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b0d000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f545c9ab6d5c1ae2af4fdfa108e723318e1d108941b36dc1135787eb512fb13
              • Instruction ID: 139841dea99339d79f640389e7c35c74da02f96cac609790c0a5c2cf8f176696
              • Opcode Fuzzy Hash: 2f545c9ab6d5c1ae2af4fdfa108e723318e1d108941b36dc1135787eb512fb13
              • Instruction Fuzzy Hash: A621F2B1604200EFDB05DF94D9C0B26BFA5FB84314F24C9ADE80A4B2D6C336D816CA61
              Function 00B0D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1722230222.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b0d000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16f94303cb1b3ba09e3338824c9889bf42765c530fa7fa7017a103498f59f168
              • Instruction ID: 43e09b53635cbc02a5aa161f3c6611d43332f694aaf426219976a3166ffe7014
              • Opcode Fuzzy Hash: 16f94303cb1b3ba09e3338824c9889bf42765c530fa7fa7017a103498f59f168
              • Instruction Fuzzy Hash: 8F21D0B1604240EFDB14DF54D9D4B26BFA5EB84314F24C5ADD84E4B2D6D33AD807CA61
              Function 04EDF597 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2114255732fb6a2de77aed0ac705f6d2688b5bcdbdd094b5a2374a51bf74caf7
              • Instruction ID: 0f2f805fff8b97954d0c523cefd47fb7e2d960a21565da463a3a1d85914ff06d
              • Opcode Fuzzy Hash: 2114255732fb6a2de77aed0ac705f6d2688b5bcdbdd094b5a2374a51bf74caf7
              • Instruction Fuzzy Hash: 7D217C30910609CFDB10FFA8D955AEEBBB1EF49304F10852DE4467B660EF71A984CB91
              Function 04EDA6F8 Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 293fba96cafe5d5f1a587ef09313ec336f19f1182138ac9450ec58c64cb36954
              • Instruction ID: 676d7e71b7e1d3e75bdd2ef4cc2411f0785084d228be6c257d5dbaedac8d81f2
              • Opcode Fuzzy Hash: 293fba96cafe5d5f1a587ef09313ec336f19f1182138ac9450ec58c64cb36954
              • Instruction Fuzzy Hash: 9A11A376F00106EFCF116B95D5441ED7FB0EB41355B625CB5D089B3194F230B6368B95
              Function 00B0D006 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1722230222.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b0d000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 87cf2769c9782a8af78a138c26f5541f7ee74c8c04a578355b4a28f945cc43fa
              • Instruction ID: 7e19ed3d61446343d9081995e4d1aee1e52ecba216cb83db419ee39a704c1c86
              • Opcode Fuzzy Hash: 87cf2769c9782a8af78a138c26f5541f7ee74c8c04a578355b4a28f945cc43fa
              • Instruction Fuzzy Hash: EC2192755083809FCB02CF54D994B11BFB1EB46314F28C5DAD8498F2A7D33A981ACB62
              Function 00AFD49B Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1722163303.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_afd000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction ID: 9614e0e4adb08476fa887199f5189fe972a1929b373535b7122cce8b00a4a905
              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
              • Instruction Fuzzy Hash: 27112972404244CFCF12CF44D5C4B26BF72FB94314F24C5A9E9050B256C336D856CB91
              Function 00B0D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1722230222.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_b0d000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction ID: 393acc0f3e826771ea8899a0d0628442f1c449cb631a470edddcbd4892b77f09
              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
              • Instruction Fuzzy Hash: 0911B875904280DFCB02CF54D5C4B15BFA2FB84314F28C6AAD8494B6A6C33AD81ACB62
              Function 04EDF750 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f49faf93b9754820e568a25787eb581c1f102d7f57c87425ff75529ddcb8952f
              • Instruction ID: 809cfae6403113bf29394e7a4a59fb3a49722a170b6b57f7f20f434f59aed6d4
              • Opcode Fuzzy Hash: f49faf93b9754820e568a25787eb581c1f102d7f57c87425ff75529ddcb8952f
              • Instruction Fuzzy Hash: 55113C31910609DFCF00FFA8D9448EDBBB4FF45315F01866AE959AB210EB30AA58CBD1
              Function 04EDA3C8 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37c26833e4c4de2bce40448f8c12a230a2125bd02e5cfa0eb3c33d68ad59f676
              • Instruction ID: 99c43c2dfb7a09ef2b1e01796b414856480dc948f0f20aa3f25e69bb1c511fdd
              • Opcode Fuzzy Hash: 37c26833e4c4de2bce40448f8c12a230a2125bd02e5cfa0eb3c33d68ad59f676
              • Instruction Fuzzy Hash: E00181303406114BEE286B65D868BBF329A5F80B4DF00507DE90ACBAD1DFE5FE424281
              Function 04EDB841 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e0baace5430ab5303ddfa1e3d863e7eab75a2467dd554bc04d9b07f1b205da4
              • Instruction ID: aca10a26806f8beb695af7f4c168253dbf771bde17fa4ef5c95846f4cf7de6d3
              • Opcode Fuzzy Hash: 2e0baace5430ab5303ddfa1e3d863e7eab75a2467dd554bc04d9b07f1b205da4
              • Instruction Fuzzy Hash: 18017DB9F04101AFCF126B65D8540E93FF0DB81344B17197AC04AE3281F130B6178BD5
              Function 04EDA3B8 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2d5229ff36c19fa9128093958dea931d40c7383c292a32342738567f10a5f69
              • Instruction ID: 427f583bd3a2b5cb70639c04ab12d5ea5fc97b75dc8531bb863ef8debe40cada
              • Opcode Fuzzy Hash: b2d5229ff36c19fa9128093958dea931d40c7383c292a32342738567f10a5f69
              • Instruction Fuzzy Hash: 9F018F343406014FEF245B29D8687BE27535F4070CF00507CE906CBAD6DFA9EA438241
              Function 04EDDB57 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6708328f7e3882d692339dbb5c66baa862a7a10f29dbeabbbb6f3333402e3d3c
              • Instruction ID: 33ae6fdadc2a7b235254db1fc55a333882eaeaa1518693e2e845bdce8ff864fb
              • Opcode Fuzzy Hash: 6708328f7e3882d692339dbb5c66baa862a7a10f29dbeabbbb6f3333402e3d3c
              • Instruction Fuzzy Hash: 2611A571D0020ACFEB04EF68C856BAEBBB1EF09304F044229D415F7350D774A942CB94
              Function 04EDA070 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9316b793655821052a82c7e157291bd270ec69726cec7e6934b6a98f84b8dd1
              • Instruction ID: 51f1c216cb912432c7a4d10eeb9b653877c9bb59f1aa35d536c2b4cbc4615e4d
              • Opcode Fuzzy Hash: f9316b793655821052a82c7e157291bd270ec69726cec7e6934b6a98f84b8dd1
              • Instruction Fuzzy Hash: B901DF70E18198EFDB15DBA9D880EDEBBF9EF4D304F004066E401E7321D779A9028B20
              Function 04EDDB68 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb64f10bc14a32caf01aaa6c1d768e61749c7600c570029f097a4cc9b64a9f12
              • Instruction ID: af2af313343f206a5c355ffe1a0f774a2982f3bc5d8eb9627bf0acf9034356b8
              • Opcode Fuzzy Hash: bb64f10bc14a32caf01aaa6c1d768e61749c7600c570029f097a4cc9b64a9f12
              • Instruction Fuzzy Hash: B9015271D0020D9FDB04EF68C951BAEBBB1EF49304F148529D515F7394DBB8A942CB94
              Function 04EDDC69 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3925c67d78a8494f29eef0fd0ebe4c63fbc388f309c14fb7dc7ad207e99fb491
              • Instruction ID: e4bcd31ab5decbca5a2e4785c8a383ce58413df1a8bc5b531705bcdd7f018632
              • Opcode Fuzzy Hash: 3925c67d78a8494f29eef0fd0ebe4c63fbc388f309c14fb7dc7ad207e99fb491
              • Instruction Fuzzy Hash: F8018F32A1060A9FCB10DFB9D8448DABB75FF99309B118729E10567214E770A595CB90
              Function 04EDA358 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0fc3bda6c979ea6380b3e8dff1ac7e4a25b1a45d2b70b951505640218a0a905c
              • Instruction ID: 9860ee39019a35720eeb4fc2aa5866e01adfcbd7c673e642cc60b92aea280e08
              • Opcode Fuzzy Hash: 0fc3bda6c979ea6380b3e8dff1ac7e4a25b1a45d2b70b951505640218a0a905c
              • Instruction Fuzzy Hash: 1EF027323006115FDB21769D98805AF7BAB9FC9A38715027AE51DC7396DD599C034291
              Function 04EDFB78 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05b18538bb67b81067033f9a593a63694d29569d63beb308083a088182628793
              • Instruction ID: ad19b37906f12385e276f24101db55f5713d0f57846459a3beeff1ce7685d53f
              • Opcode Fuzzy Hash: 05b18538bb67b81067033f9a593a63694d29569d63beb308083a088182628793
              • Instruction Fuzzy Hash: 11F08C71D002699BEF00EFA98C217EFBEF5AF89304F145569C409E7240DB786901CBA1
              Function 04EDCA34 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8eef0bdd184a12da11c8f1938997fda8932c51169652e25461555f95ffb5a89
              • Instruction ID: 195d0b3db6ff2982fc5fb27fe2dcc588b2635d867649312d258b301cfa446998
              • Opcode Fuzzy Hash: b8eef0bdd184a12da11c8f1938997fda8932c51169652e25461555f95ffb5a89
              • Instruction Fuzzy Hash: FFF04F71D002199BEB04EFA988547FE7EF1AF89314F10552AD40AE6250EB7459018BD1
              Function 04EDBDC0 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f484f593ce403180245d989dffae7671e27a85ab3074e35a94051c16fab41545
              • Instruction ID: 9caa359738bcb13b699619c838ced19c45a11e95bd33953bc86024fdbd5dcb14
              • Opcode Fuzzy Hash: f484f593ce403180245d989dffae7671e27a85ab3074e35a94051c16fab41545
              • Instruction Fuzzy Hash: 3CF0E27020A3118FE3156F3888044623BA0EF47348326BCEBE5688F252EA35FC86C742
              Function 04EDB5A8 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 883dd1337e1a6b74495e018eddbe28d30ea0b0dcd33e8b9aeb091acf266c4ac3
              • Instruction ID: 0ae17d5ba2521a3f701e85de4caebfa5562723bc558e118d8a0a5bc466e4f20c
              • Opcode Fuzzy Hash: 883dd1337e1a6b74495e018eddbe28d30ea0b0dcd33e8b9aeb091acf266c4ac3
              • Instruction Fuzzy Hash: 13F02B33A8D3804FEB218A286C812C83F62BF92308F1A45EBD0C0C748BD41E6907C791
              Function 04EDA368 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd36a8004c54d669dba5b7be4601e61a3dad76fe52d1172e4cbd68b731751df9
              • Instruction ID: b7c10a7d45f17abc599e90f6ad0c16fdf9ef4055e728ee834eab4be5f27316c0
              • Opcode Fuzzy Hash: cd36a8004c54d669dba5b7be4601e61a3dad76fe52d1172e4cbd68b731751df9
              • Instruction Fuzzy Hash: 47E0D8323406114BCB25B69DD44096F7BEFDFC9A68B25007AE50DC7355CD65AC0242D4
              Function 04EDFA6F Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ac7c00d565778cfa539480877160e602786d0ac09f102044c9234f6708eeb08
              • Instruction ID: ca1e39fa43fd8110c54acb377a57a4f113acb6a4085f31580efc029a16343f1a
              • Opcode Fuzzy Hash: 6ac7c00d565778cfa539480877160e602786d0ac09f102044c9234f6708eeb08
              • Instruction Fuzzy Hash: D7E0D8323012151BDB146ABEDC54B5A3BD9DBCA2757140279E219C7286CD399C028390
              Function 04EDF740 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cd8ffd194d3dc3ad1826309afe754f432c129239020a54aaea87f1adc16e1fd
              • Instruction ID: 5572222157ad01b7e418918adf5c8413d254606ec93e460fd3d796cd33acea28
              • Opcode Fuzzy Hash: 5cd8ffd194d3dc3ad1826309afe754f432c129239020a54aaea87f1adc16e1fd
              • Instruction Fuzzy Hash: 17F0A0319186598FD701FBB8981549D7B74EF02205F0542AAEC85AB155FF20AA6CC7D2
              Function 04EDA64C Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de720eca9c522bb2b787ed620510f3d5f700b4228f4397c179d5d5ae314f91eb
              • Instruction ID: 1d862a067b8056c4a4dd08a9dc85ec15c31db2ef9341c300cce7644140fd73c1
              • Opcode Fuzzy Hash: de720eca9c522bb2b787ed620510f3d5f700b4228f4397c179d5d5ae314f91eb
              • Instruction Fuzzy Hash: FAE086B13102245B9B18BB799854C7B379DDF85A183105CBEF80ACB350CD60FD0282D4
              Function 04EDAF2B Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77f5ec3b6b6bb8a4704b8a9dc006dbedddaf2817b7514a690d4842b419d79419
              • Instruction ID: 98b3f54fce049388435b4784435c6d738300c2f479863ef30f21d8c7070132ec
              • Opcode Fuzzy Hash: 77f5ec3b6b6bb8a4704b8a9dc006dbedddaf2817b7514a690d4842b419d79419
              • Instruction Fuzzy Hash: 37E08CB13002245BAA18BB398840C6B73ADDF85A2830048BDF80ACB360CE61FC0383D4
              Function 04EDC608 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c33d77f0c61a6288ab5e81ff535ae14dbbd6fd8a72d90ee289b34432e2d3282
              • Instruction ID: 47b84f6b3f74e568623656413ac88e3553f3f611cda8b3517bd53afbaab7256c
              • Opcode Fuzzy Hash: 1c33d77f0c61a6288ab5e81ff535ae14dbbd6fd8a72d90ee289b34432e2d3282
              • Instruction Fuzzy Hash: 4CE0DFB460D2618FE701A72CA4905E93BA2DB46224B9219B0D101CF646DB686F4387D2
              Function 04EDC658 Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1e68a653e7de4a3d78042d80c0cc0ee0c0cc73731fbbe20b523d773807472d4
              • Instruction ID: 1c9b81e73a3de50900596dba1e016d29f772697fc09b2a0553b65db625f4cd46
              • Opcode Fuzzy Hash: f1e68a653e7de4a3d78042d80c0cc0ee0c0cc73731fbbe20b523d773807472d4
              • Instruction Fuzzy Hash: 4BE0D831909301CFD325AB68D0544A537A2EB4620D31659FEC4498FB62D636FC83C782
              Function 04EDFA80 Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 419701791215e00dbc17d87b76757f4579576008e885d28b92fe63a035a23896
              • Instruction ID: af0edf3367484a2dd34d76f711ccfc1bd3cc178c101aa7386d9b47dcc28007ee
              • Opcode Fuzzy Hash: 419701791215e00dbc17d87b76757f4579576008e885d28b92fe63a035a23896
              • Instruction Fuzzy Hash: F9D0123270521517561876BE6C5486B7ECEDBCA175354123EE25ED7281DD659C0283A0
              Function 04EDA6C8 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8358c17a7a56104c50e4ceaf9ccc25d29307ead2c656db5818a466a5922d986
              • Instruction ID: 0f03a464020c7e16fbaa3803a935f74e2897ed1c6bcc4fec5f468c2b210fdd72
              • Opcode Fuzzy Hash: c8358c17a7a56104c50e4ceaf9ccc25d29307ead2c656db5818a466a5922d986
              • Instruction Fuzzy Hash: B9D05B3768502046E510D514AC817D93346FBC5305F29AD55E481D7144C41AF5478251
              Function 04EDD351 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c641ab6d19d64f52a2197d9d93822bbd65608a300d168340813d9441e152bf06
              • Instruction ID: ca3399e21f5fc756a5fc712c1e19ad4d0d47a965f731f5bf7028dae6b728d1fd
              • Opcode Fuzzy Hash: c641ab6d19d64f52a2197d9d93822bbd65608a300d168340813d9441e152bf06
              • Instruction Fuzzy Hash: 93D05B321001556BDB019BB9D901F82BFADDF9A364B04C0E6E5048B116D561F411D791
              Function 04EDAF03 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab34bee4bd70cd600e0ca5a0676c61581abe77faab06a53bd23764196a465a7e
              • Instruction ID: d89f56940ad632d3fc8f5286333392fbcc9a18b0c528d82754e12c0d8df04967
              • Opcode Fuzzy Hash: ab34bee4bd70cd600e0ca5a0676c61581abe77faab06a53bd23764196a465a7e
              • Instruction Fuzzy Hash: 59C09232B29638535A1A33A838920FE774D8B86868704116EE91D9B741EED66F1303CF
              Function 04EDAF08 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb7e4e3ba94c1899a9a0107d694e759e628abed3ae3824b5363464070953a429
              • Instruction ID: 1b9f46d5a5860b6da31631d0d3dfe28d9dee0d8650668a9865b2a1c00f6e8222
              • Opcode Fuzzy Hash: eb7e4e3ba94c1899a9a0107d694e759e628abed3ae3824b5363464070953a429
              • Instruction Fuzzy Hash: 8FB0922230863813190A32A928104BE728D4A86868240106EE50D9B340CDD53E0202DE
              Function 04EDAF1F Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6145d1e7c97a0f348f2ffc8b6ac03506e4e2493a7f5b9b3efc782708998cddbb
              • Instruction ID: 13ca9a2e89559893f0e59fbf49b31c4248ddb397a063e5650f0090112068288d
              • Opcode Fuzzy Hash: 6145d1e7c97a0f348f2ffc8b6ac03506e4e2493a7f5b9b3efc782708998cddbb
              • Instruction Fuzzy Hash: 1AA011A230823882A80A33B028202FE22000F8002828028AA800E0EA00E8A03203238A
              Function 04EDAF23 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 94a4d48e9cfd763a31c4c58d6a6e0d4e5b56349ff3208e4836828a474c536e35
              • Instruction ID: 1bd43f1468bc01ae6075ad6426851ead53ac65244d3be31b3d6a87004a1115fe
              • Opcode Fuzzy Hash: 94a4d48e9cfd763a31c4c58d6a6e0d4e5b56349ff3208e4836828a474c536e35
              • Instruction Fuzzy Hash: 8CB022CB30E2E08FE30222B038820F03B20C2220AC30A20F3C08CCE0A328002B038302

              Non-executed Functions

              Function 04ED2E20 Relevance: 6.6, Strings: 5, Instructions: 329COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.1727414420.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_4ed0000_eFXWrQYLi.jbxd
              Similarity
              • API ID:
              • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
              • API String ID: 0-1677660839
              • Opcode ID: 0c9ea6fe38604d9c928ac1c1765e2e368fee712cdb8c8445ab27acf0519b8d03
              • Instruction ID: 93ef3bc16657422be9524037f2a0883455ba546f293741834ef5ec323050945f
              • Opcode Fuzzy Hash: 0c9ea6fe38604d9c928ac1c1765e2e368fee712cdb8c8445ab27acf0519b8d03
              • Instruction Fuzzy Hash: D5C16B357002448FDB19EF79C4649AE7BF2AFC9304B2458A9D906AB391DE35ED02CB61